JP2003101526A - Method for binding digital license to portable device and for checking out or checking in digital license from or to portable device in digitized right management (drm) system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an enforcing method for enhancing digital license right in order to prevent illegal conducts. SOLUTION: In order to render a digital contents encrypted according to a contents key (KD) on a first device having a public key (PU1) and a corresponding private key (PR1), a digital license corresponding to the contents is acquired. The digital license houses the contents key (KD) in an encrypted form. The encrypted contents key (KD) from the digital license is decrypted to get the contents key (KD), and the public key (PU1) of the first device is acquired from the first device. Then, the contents key (KD) is encrypted to be (PU1 KD)) according to the public key (PU1) of the first device, a sub license corresponding to and based on the acquired license is configured, where the sub license contains (PU1 KD)). Thereafter, the configured sub license is forwarded to the first device.

Description

Detailed Description of the Invention

[0001]

FIELD OF THE INVENTION The present invention relates to an architecture for rights enforcement in digital content.
More specifically, the present invention relates to a mandatory architecture that allows access to encrypted digital content only according to parameters specified in the license rights acquired by the user of the digital content.

Related Patent Application of the Present Application As a patent application related to the present application, "digitization right management
(DRM) Binding of digital contents to portable storage device etc. in system (BINDI
NG DIGITAL CONTENT TO A PORTABLE STORAGE DEVICE OR
THE LIKE IN ADIGITAL RIGHTS MANAGEMENT (DRM) SYST
No. 09 / 645,887, filed August 25, 2000, entitled "EM)," ENFORCEMENT ARCHITECTURE
AND METHOD FOR DIGITAL RIGHTS MANAGEMENT) '' filed on April 12, 1999 in U.S. patent application No. 09/29
0,363, and "Enforcement Architecture and Method for Digitization Rights Management (ENFORCEMENT ARCHITECTURE AND
METHOD FOR DIGITAL RIGHTS MANAGEMENT) '' filed on March 27, 1999, U.S. provisional patent application No. 60/126,
No. 614, all of which are incorporated herein by reference.

[0003]

2. Description of the Related Art Digital rights management
gement) and enforcement are strongly desired for digital content such as digital audio, digital video, digital text, digital data, digital multimedia, etc., where such digital content will be delivered to users. ing. Typical distribution forms are magnetic (floppy) disks, magnetic tapes, and optical (compact) disks.
(CD) and other tangible devices, and electronic bulletin boards (electr
onic bulletin board, electronic network
There are intangible media such as network and the Internet. When these digital contents are received by the user, the user uses a suitable rendering device such as a media player to render the digital contents on a personal computer or the like (rendering: expression, performance, translation, etc.) or "Playing".

[0004] As a typical example, content owners or rights owners (hereinafter referred to as authors, publishers, broadcasters, etc.)
The "content owner") wants to deliver its digital content to users or recipients in return for license fees and other rewards. By giving the content owner the choice,
It wants to put restrictions on how users handle distributed digital content. For example, the content owner may at least restrict the user from copying and redistributing the content to another user in such a way that the content owner is denied receiving license fees from another user. Wants to do.

Moreover, while content owners want to give users the flexibility to purchase different types of usage licenses for different license fees, regardless of what type of license was actually purchased. ,
I want to bind my users to their license terms. For example, content owners may set limits on the number of plays, limits on the total amount of time, limits on the type of machine, types of media player, etc. when playing distributed digital content. It may be desirable to have restrictions or restrictions on the type of user.

However, after distribution, management of digital content by the content owner, if any, is very limited. This means that almost all new or modern personal computers take a digital copy of digital content, download it to a writable magnetic or optical disc, or copy the digital copy to the Internet or the like. It is particularly problematic because it has the software and hardware necessary to send it to any destination on the network.

Of course, as part of the legitimate transaction for which a license fee has been obtained, the content owner may make a promise to the digital content user not to resell the digital content. But such promises are easily made and easily broken. Content owners typically use encrypted devices on one of several well-known security devices.
(encryption) and decryption (also called decryption)
By trying to prevent resale.
However, there is little guarantee that an indecisive user will not decrypt the encrypted digital content, save the digital content in an unencrypted form, and then resell it.

[0008]

Therefore, it is possible to render and play digital content of arbitrary shape under control, and the control is flexible and definable by the content owner of the digital content. It is desirable to provide a compulsory architecture and method. It is also desirable to provide a controlled rendering environment on a computing device such as a personal computer, where it is desired that the rendering environment include at least a portion of the enforcement architecture. This controlled rendering environment allows digital content to be rendered even if it is rendered on a computing device that is not under the control of the content owner.
It will only be rendered as specified by the content owner.

In addition, a trusted component running on the computing device
onent: supervised component), in which case the trusted component will also attempt to access one piece of digital content by a user of the computing device in a manner not permitted by the content owner. Enforce the rights of the content owner on the computing device with respect to the digital content. As one example, the trusted software component prevents a user of a computing device from making a copy of the digital content unless the content owner otherwise permits it.

[0010]

According to the present invention, a public key
(public key) (PU1) and its corresponding private key (privat
A method is provided for rendering encrypted digital content on a first device that owns an e key) (PR1), where the digital content is encrypted according to a content key (KD). There is. This way, the content corresponds to a digital license
A (digital license) has been obtained, and the digital license contains the content key (KD) in encrypted form. Encrypted content key (K
D) is decrypted (decrypted) to get the content key (KD), and the public key (PU1) of the first device is obtained from it. After that, the content key (KD) is encrypted according to the public key (PU1) of the first device (PU1 (KD)), corresponds to the acquired license, and a sublicense based on it is configured, where the sublicense is Contains (PU1 (KD)). The configured sublicense is transferred to the first device, where the first device uses its private key.
With (PR1), you can decrypt (PU1 (KD)) to get the content key (KD), and use the obtained content key (KD) to render encrypted content on the first device. ing.

In order to check out the sublicense from the second device to the first device, the second device has a nonce (a one-time key.
(referred to as “nce”) to the first device and receives the nonce. The second device then sends the checked-out sub-license and the nonce to the first device. The first device then concludes that the nonce sent by the second device is the same as the nonce received by the second device, and thus
It is concluded that the sublicense sent along with the transmission nonce is legal (also called legitimate), and the transmission sublicense is stored. In order to check in the checked out sublicense, the first device deletes the checked out sublicense,
A second trusted indication is then given that the checked-out sublicense was indeed deleted.
Give to the device.

The outline of the present invention is as described above.
Hereinafter, in order to facilitate understanding of the present invention, embodiments of the present invention will be described in detail with reference to the accompanying drawings. For the sake of convenience of the description of the invention, the drawings show an embodiment which is considered presently preferred. It should be understood, of course, that the invention is not limited to the specific arrangements and instrumentality shown.

[0013]

DETAILED DESCRIPTION OF THE INVENTION A detailed description will be given below with reference to the accompanying drawings. Note that similar elements are denoted by similar reference numerals throughout the drawings. FIG. 1 illustrates an enforcement arch according to an embodiment of the present invention.
itecture) 10 is shown. Briefly, according to this compulsory architecture 10, the owner of digital content 12 specifies license rules that the digital content 12 must satisfy before being rendered on a user's computing device 14. Is possible. This license rule applies to users / user computing devices (use
r's computing device) 14 (these terms are used interchangeably below) is incorporated into a digital license 16 that must be obtained from the content owner or its agent. Digital content 12 is distributed in encrypted form, but may be distributed freely and widely. Preferably, a decrypting key KD for decrypting the digital content 12 is embedded in the license 16.

Computer Environment FIG. 13 and the following description are intended to provide a summary and description of a suitable computing environment in which the present invention and / or portions thereof may be implemented. Although not necessary, the invention is described in the broadest sense of computer-executable instructions, such as program modules, being executed by a computer, such as a client workstation or server. Generally, a program module performs a specific task,
Or a routine that implements a particular abstract data type,
Programs, objects, components, data structures, etc. Moreover, it should be understood that the present invention and / or portions thereof may be practiced with other computer system configurations, including handheld devices, multiprocessor systems, microprocessor-based or Includes programmable consumer electronics, network PCs, minicomputers, mainframe computers and more.
The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

As shown in FIG. 13, the exemplary general purpose computing system is a conventional personal computer 1.
A personal computer, such as a computer, includes a processing unit 121, a system memory 122, and a system bus 123 coupling various system components including the system memory to the processing unit 121. The system bus 123 can be any of several types of bus structures, including a memory bus or memory controller employing any of a variety of bus architectures, a peripheral (peripheral) bus, and a local bus. It is included. The system memory includes a read only memory (ROM) 124 and a random access memory (random access memory RAM).
125 are included. A basic input / output system BIOS consisting of the basic routines that help to transfer information between elements within a personal computer, such as during start-up 1.
26 is stored in the ROM 124.

The personal computer 120 further includes a hard disk drive 127 for reading and writing with a hard disk (not shown), a magnetic disk drive 128 for reading and writing with a removable magnetic disk 129, and a CD-ROM and others. It is equipped with an optical disk drive 130 for reading and writing with a removable optical disk 131 such as an optical medium. The hard disk drive 127, magnetic disk drive 128, and optical disk drive 130 are connected to the system bus 123 via a hard disk drive interface 132, a magnetic disk drive interface 133, and an optical disk drive interface 134, respectively. These drives and their associated computer-readable media store computer-readable instructions, data structures, program modules and other data for personal computer 120 as non-volatile storage.

Although the exemplary environment described herein employs a hard disk, removable magnetic disk 129, and removable optical disk 131, it should be understood that it stores data that is accessible by a computer. Other types of computer-readable media that can be stored in the exemplary operating environment can also be employed. Other such types of media include magnetic cassettes, flash memory cards, digital video discs, Bernoulli cartridges, random access memory (RAM), read only memory (ROM).

Some program modules include a hard disk, a magnetic disk 129, an optical disk 131,
It may be stored in ROM 124 or RAM 125, such as operating system 135, one or more application programs 136, other program modules 137 and program data 138. The user can input commands and information to the personal computer 120 through input devices such as the keyboard 140 and the pointing device 142. Other input devices (not shown) include a microphone, game pad,
There are satellite dishes and scanners. The above and other input devices are often connected to the processing unit 121 through a serial port interface 146 coupled to the system bus, such as parallel port, game port, universal serial bus (universa).
It is also possible to connect with other interfaces such as l serial bus USB). A monitor 147 or other type of display device is also connected to the system bus 123 via an interface such as a video adapter 148. In addition to the monitor 147, personal computers are typically equipped with other peripheral (peripheral) output devices (not shown) such as speakers and printers. The exemplary system shown in FIG. 13 has a host adapter 1
55, Small Computer System Interface (Smal
It also includes a Computer System Interface SCSI) bus 156 and an external storage device 161 connected to the SCSI bus 156.

Personal computer 120 can operate in a networking environment that uses logical connections with one or more remote computers, such as remote computer 149. The remote computer 149 is another personal computer,
It can be a server, router, network PC, peer device or other common network node,
Although only memory storage device 150 is shown in FIG. 13, it is typically equipped with many or all of the elements described above with respect to personal computer 120. The logical connection shown in FIG. 13 is a local area network.
LAN 151 and wide area network
WAN) 152. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet.

When used in a LAN networking environment, the personal computer 120 may connect to the LAN 15 through a network interface or adapter 153.
Connected to 1. When used in a WAN networking environment, personal computer 120 is typically equipped with a modem 154 or other means for establishing communication over a wide area network 152 such as the Internet. The modem 154 includes an internal type and an external type, both of which are connected to the system bus 123 via the serial port interface 146. In a networking environment, the program modules described above with respect to personal computer 120, or portions thereof, may be stored in a remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.

Architecture Referring back to FIG. 1, in one embodiment of the invention, architecture 10 includes an authoring tool (auth) in addition to the user computing device 14 described above.
oring tool) 18, a content key database 20, a content server 22, a license server 24, and a black box server 26.

Architecture-Authoring Tool 1
8 authoring tool 18 is the architecture 1 of the present invention.
Used by content owners to package a piece of digital content 12 into a form that is easy to use in connection with 0. Specifically, the content owner instructs the authoring tool 18 on the digital content 12, the instructions and / or rules to attach to the digital content 12, and the instructions and / or rules on how to package the digital content 12. I'm giving. In response to this, the authoring tool 18 outputs the digital content package 12p containing the digital content 12 encrypted according to the encryption / decryption key and the instructions and / or rules attached to the digital content 12.

In one embodiment of the present invention, the authoring tool 18 includes a package 1 of several different digital contents 12, each containing the same digital contents 12 encrypted according to different encryption / decryption keys.
You will be instructed to make 2p serially. As will be understood, if the same digital content 12 is stored in several different packages 12, the package 12p / content 12 (hereinafter, simply referred to as “digital content 12” except for special circumstances). Name)
It is convenient for tracking the delivery of.
This distribution tracking is usually not necessary, but may be used by investigative authorities if the digital content 12 is illegally sold or broadcast.

In one embodiment of the invention, the encryption / decryption key that encrypts the digital content 12 is a symmetric key in the sense that the encryption key is also the decryption key (KD).
y). As explained in detail below,
This decryption key (KD) is sent invisible to the user's computing device 14 as part of the license for that digital content 12. Preferably 1
Each digital content 12 has a content ID (or each package 12p has a package ID), each decryption key (KD) has a key ID, and the authoring tool 18 uses ( Or decryption key (KD) of each package 12p, key ID,
The content ID (or package ID) is stored in the content key database 20.
Furthermore, the type of the license 16 issued for the digital content 12 and the license data regarding the terms and conditions for each license type can be stored in the content key database 20 or in another database (not shown). It is also possible to keep it. Preferably, the license data is adapted for subsequent modification by the content owner, depending on the circumstances and market demands.

In use, in particular, the following information is given to the authoring tool 18. The digital content 12 to be packaged, the type and parameters if watermarking and / or fingerprints are adopted, the type and parameters if data compression is adopted, the type of encryption used Type and parameters, and instructions and / to attach to the digital content 12.
Or a rule.

As is known, a watermark is an invisible computer readable signal that is added to digital content 12 as an identifier (ID). Fingerprints are watermarks that differ for each instant. As will be appreciated, an instance is a version of digital content 12 that is each unique. Any instance can make multiple copies, and every copy belongs to a particular instance. When a particular instance of digital content 12 is illegally sold or broadcast, the investigative authority will probably
The suspect can be identified according to the watermark / fingerprint added to 2.

Data compression can be done according to any applicable compression algorithm without departing from the spirit and scope of the present invention. For example, .mp3 or .wav compression algorithms can be used. Of course, the digital content 12 may already be in compression, in which case no additional compression is required.

The instructions and / or rules attached to the digital content 12 can be almost any applicable instructions, rules, or other information without departing from the spirit and scope of the present invention. As will be explained below, the accompanying instructions / rules / information are license 1 for rendering digital content 12.
6 is used primarily by the user and the user's computing device 14. Thus, the accompanying instructions / rules / information can include a properly formatted license acquisition script, etc., as described in detail below. Additionally or alternatively, the accompanying instructions / rules / information include:
“Preview” information may be included that allows the user to preview the digital content 12.

Using the information provided, authoring tool 18 creates one or more packages 12p corresponding to digital content 12. Each package 12p can be stored in the content server 22 in preparation for external distribution.

In one embodiment of the present invention, described with reference to FIG. 2, the authoring tool 18, as the dynamic authoring tool 18, receives input parameters that can be specified and manipulated. Therefore, the authoring tool 18 can create a plurality of types of packages 12p for a plurality of digital contents 12 at high speed. Preferably, the input parameters are embodied in the form of a dictionary 28, as shown, and the dictionary 28 contains the following parameters: -The name of the input file 29a containing the digital content 12, -the type of encoding performed, -the encryption / decryption key (KD) employed, -the package 12p with the digital content 12
Ancillary instructions / rules / information (“header information”) that are packaged into :, the type of muxing that is performed, and—a package 12p based on digital content 12
The name of the output file 29b to which is written.

As can be appreciated from the above, this dictionary 28 can be easily and quickly modified by the operator (human or machine) of the authoring tool 28, so the type of authoring performed by the authoring tool 18 is similar. It is dynamically and easily and quickly modifiable. In one embodiment of the invention,
The authoring tool 18 comprises an operator interface (not shown) that can be displayed to a human operator from a computer screen. Thus, a human operator can modify the dictionary 28 through this interface, and further assist in modifying the dictionary through this interface.
/ Or can be restricted.

In the authoring tool 18, as shown in FIG. 2, the source filter 18a is
Input file 29 containing digital content 12
receives the name of a from the dictionary 28, retrieves its digital content 12 from its input file,
The digital content 12 is stored in the memory 29c such as RAM. After that, the encoding filter (encoding filte
r) 18b encodes the digital content 12 stored in the memory 29c, and the dictionary 28
Convert the file from the input format to the output format (ie .wav to .asp, .mp3 to .asp, etc.) according to the type of encoding specified in, and store the encoded digital content 12 in the memory 29c. Put it in. As shown, the packaged digital content 12 (eg, music) is received in a compressed format, such as .wav or .mp3 format, and .asp
(Active streaming protocol
ing protocol)) format and other formats. Of course, other input and output formats may be used without departing from the spirit and scope of the invention.

After that, the encryption filter (encryption f
ilter) 18c encrypts the encoded digital content 12 in the memory 29c according to the encryption / decryption key (KD) specified in the dictionary 28, and stores the encrypted digital content 12 in the memory 12. .
Next, the header filter 18d stores the header information specified in the dictionary 28,
It is added to the encrypted digital content 12 in the memory 29c.

As will be appreciated, in some circumstances package 12p may include multiple streams of digital content 12 that are temporarily aligned (one of which is shown in FIG. 2). , Where these streams are multiplexed (ie, "muxing")
Has been done. Therefore, the multiplex (mux) filter 18e
According to the type of multiplexing specified in the dictionary 28, the header information stored in the memory 29c and the encrypted digital content 12 are multiplexed, and the result is stored in the memory 29c. Next, the file writer filter 18f
The result is fetched from the memory 29c, and the result is written as a package 12p in the output file specified in the dictionary 28.

It should be noted here that in some cases the type of encoding performed will usually not change. The type of muxing is typically based on the type of coding, so the type of muxing is usually the same. If this is the case in practice, the parameters relating to the type of coding and / or the type of multiplexing need not be included in the dictionary 28. Instead, all that is required is to "hardwire" the type of multiplexing into the mux filter. Of course, depending on the circumstances, the authoring tool 18 may not have all of the filters described above, or may have other filters, and any of the filters may be hardwired. Can also be incorporated into Dictionary 2
The function can also be executed according to the parameters specified in 8. All of these are included in the spirit and scope of the present invention.

Preferably, the authoring tool 18 is
Is implemented on the applicable computer, processor, or other computing machine through the applicable software. The structure and operation of this machine and this software should be understood by reading the description provided herein, and will not be discussed further here.

Architecture-Content Server 22 Returning to FIG. 1, in one embodiment of the present invention, the content server 22 delivers the package 12p created by the authoring tool 18 or otherwise allows retrieval. To This package 12
p, through any applicable distribution channel, without departing from the spirit and scope of the present invention.
Can be delivered upon request. For example, this delivery channel can be the Internet or another network, an electronic bulletin board, electronic mail, or the like. Furthermore, the content server 22
Can be used to copy the package 12p onto a magnetic disk or optical disk or other storage device so that the storage device can be delivered thereafter.

As can be understood from the above, the content server 22 delivers the package 12p regardless of the problem of credit or security. As described below, this issue is addressed in the context of the license server 24 and the relationship between the license server 24 and the user's computing device 14. In one embodiment of the present invention, the content server 22 freely releases the package containing the digital content 12 and distributes it to the distribution destination requesting the package. However, the content server 12 may also release and deliver the package 12p in a limited fashion without departing from the spirit and scope of the invention. For example, the content server 22
Based on the ID of the distribution destination, whether the distribution is requested after paying a predetermined distribution fee first, the distribution destination is requested to be the original person, or whether distribution is to be performed. You can also do it.

In addition, the content server 22 allows inventory management by controlling the authoring tool 18 to generate several different packages 12p in anticipation of future demand. For example, this server is the same digital content 1
If 100 packages are generated based on 2, each package 12p can be used 10 times. For example, when the supply of package 12p is reduced to 20,
For example, the content server 22 may generate the 80 additional packages in this case, too.
8 can be instructed.

Preferably, the content server 22 in the architecture 10 has a unique public / private key pair (PU-CS, PR-CS), which evaluates the license 16 and decrypts the corresponding digital content 12. Used as part of the process of obtaining a decryption key (KD) to do so. Note that this will be described in detail below. As is known, a public / private key pair is an asymmetric key in the sense that what is encrypted by one of the keys in the key pair can only be decrypted by the other key in the key pair.
(asymmetric key). In a public / private key pair encryption system, the public key can be made public, while the private key is always kept secret by the owner of the private key. Therefore, when the content server 22 encrypts the data with the secret key (PR-CS), the encrypted data can be sent to the outside together with the public key (PU-CS) for the purpose of decryption. On the other hand, if the external device sends data to the content server 22 and wants only that content server 22 to be able to decrypt the data, the external device first makes the public key (PU- CS) must be obtained and then the data must be encrypted with its public key. Therefore, the content server 22 (and only the content server 22) can use the private key (PR-CS) to decrypt the encrypted data.

Similar to the case of the authoring tool 18, the content server 22 is realized on the corresponding computer, processor, or other computing machine through the corresponding software. The structure and operation of this machine and this software should be understood by reading the description herein, and will not be discussed further here. Furthermore, in one embodiment of the present invention, the authoring tool 18 and the content server 2 are
2 can be placed in separate workspaces on a single computer, processor or other computing machine. Further, as will be understood, the content server 22 may incorporate the authoring tool 18 in some circumstances.
It is also possible to carry out the functions of the authoring tool 18. This is as described above.

Structure of digital content package 12p
Structure Next, referring to FIG. 3, in one embodiment of the present invention, the digital content package 12p when distributed by the content server 22 includes the following. − Digital content 12 (ie KD (CONTE) that was encrypted using the encryption / decryption key (KD) as described above.
NT)),-the digital content 12 (or package 1)
2p) content ID (or package ID),-decryption key (KD) key ID, -preferably unencrypted license acquisition information, and-public key (PU-CS) of content server 22 Is the key ID for encrypting the
-CS) (that is, (KD (PU-CS) S (PR-C
S))).

What should be understood regarding (KD (PU-CS) S (PR-CS)) is that this item is a digital content 12 and / or a package 12p, as described below.
Is to be used in connection with testing whether or not Unlike a digitally signed certificate (see below), you can get (KD (PU-CS) without a key (PU-CS).
Instead, the key (PU-CS) is obtained simply by applying the decryption key (KD). Once you have the key (PU-CS), you can use it to test the validity of the signature (S (PR-CS).

Further, as will be understood, in order to make the authoring tool 18 build this package 12P, the authoring tool 18 needs to obtain license acquisition information and (KD (PU-CS) S (PR-CS) ) Must already be owned as header information, possibly from the dictionary 28. Furthermore, authoring tool 1
8 and the content server 22 must probably interact with each other to build (KD (PU-CS) S (PR-CS)). This exchange can be performed in the following steps, for example. -The content server 22 sends (PU-CS) to the authoring tool 18, -The authoring tool 18 acquires (KD (PU-CS) by encrypting (PU-CS) with (KD), and- 18 sends (KD) (PU-CS) to the content server 22, and-the content server 22 (PR-CS) sends (KD (PU-CS)).
To obtain (KD (PU-CS) S (PR-CS)), and-the content server 22 sends (KD (PU-CS) S (PR-CS)) to the authoring tool 18.

Architecture-License Server 24 Returning to FIG. 1, in one embodiment of the present invention, the license server 24 includes one digital content item 12.
In connection with the request for a license 16 from the user's computing device 14, determine whether the user's computing device 14 can trust the issued license 16 as respecting, and Negotiate and license 16
And perform the function of sending its license 16 to the user's computing device 14. The transmitted license 16 preferably includes a decryption key (KD) for decrypting the digital content 12. The license server 24 and the above functions are described in detail below. Preferably, like the content server 22, the license server 24 in architecture 10 has a unique public / private key pair (PU-LS, PR-LS).
Owns a decryption key (KD) for evaluating the license 16 and decrypting the corresponding digital content 12.
Used as part of the process of getting. Note that this will be described in detail below.

As with the authoring tool 18 and the content server 22, the license server 24
It is implemented on the corresponding computer, processor, or other computing machine through the corresponding software. The structure and operation of this machine and this software should be understood by reading the description provided herein, and will not be discussed further here. Further, in one embodiment of the invention, the authoring tool 18 and / or the content server 2
2 on a single computer, processor, or other computing machine, license server 24
You can put them in different workspaces together with.

In one embodiment of the invention, license 16
The license server 24 and the content server 22 conclude an agent contract, etc. prior to the issuance of
The license server 24 is a virtual licensing authority for at least a portion of the digital content 12 delivered by the content server 22.
ority: License consignment institution).
It will be appreciated that, without departing from the spirit and scope of the present invention, one content server 22 may have multiple license servers 24, such as agent contracts, and / or one license server 24 may have multiple license servers 24. It is also possible to conclude an agent contract with the content server 22.

[0048] Preferably, the license server 24 can externally show that it has the authority to issue a license to the digital content 12 distributed by the content server 22. The preferred way to do this is for the license server 24 to retrieve the public key (PU-CS) of the license server 24 from the content server 2.
2, the content server 22 receives the secret key (CERT (PU-LS) S (PR-CS)) of the content server 22.
The digital certificate containing the PU-LS is transmitted to the license server 24 as the content signed in (1). As will be understood, the content (PU-LS) in this certificate is the public key (P-LS) of the content server 22.
It can only be accessed using U-CS). Also, as will be understood, generally, the digital signature of the underlying data is an encrypted form of the data, so that the data has been tampered with or otherwise modified. If so, the data will not match when decrypted.

As a licensing authority associated with a piece of digital content 12, and as part of the licensing function, the license server 24 must be able to access the decryption key (KD) corresponding to that digital content 12. . Therefore, it is preferable that the license key 24 is stored in the content key database 20 in which the decryption key (KD), the key ID, and the content ID (or package ID) corresponding to the digital content 12 (or package 12P) are stored.
Is accessible.

Architecture-Black Box Server
When server 26 subsequently be described with reference to FIG. 1, in one embodiment of the present invention, the black box server 26, a new installation of the black box 30 to the user's computing device 14 and / or upgrade (version-up) functions Run. The black box 30 performs encryption and decryption functions for the user's computing device 14, as described in detail below. Again, as described in detail below, the black box 30 is intended to be secure and protected from attack. This security and protection is obtained, at least in part, by upgrading the black box 30 to a new version when needed through the black box server 26, as described in detail below.

Similar to the case of the authoring tool 18, the content server 22, and the license server 24, the black box server 20 is realized on the corresponding computer, processor, or other computing machine through the corresponding software. The structure and operation of this machine and this software should be understood by reading the description provided herein, and will not be discussed further here. Further, in one embodiment of the present invention, the license server 24,
The authoring tool 18 and / or content server 22 may be located in separate workspaces with the black box server 26 on a single computer, processor, or other computing machine. For security purposes, a sensible way is to keep the black box server 26 on a separate machine.

Architecture-User Compute
ING DEVICE 14 Referring now to FIG. 4, in one embodiment of the present invention, a user's computing device 14 includes a keyboard, mouse, screen, processor, RAM, RO.
Examples include personal computers equipped with elements such as M, hard drive, floppy drive, and CD player. However, the user's computing device 14 could be, among other things, a dedicated display device such as a television or monitor, a dedicated audio device such as a stereo or other music player, a dedicated printer, etc., all of which are books. It belongs to the spirit and scope of the invention.

The content owner of one piece of digital content 12 is the user's computing device 14
Trust that the digital content 12 will not be rendered unless it complies with the rules specified by the content owner, that is, if the user does not have a license 16 that permits rendering as requested. I have to. In this case, preferably the user's computing device 14 is a license 16 associated with the digital content 12, unless the computing device 14 is subject to license rules embodied in what was obtained by the user. A trusted component or mechanism 32 that convinces the content owner that he does not render the digital content 12.
Must be equipped with.

Here, the trusted mechanism 32 is a digital rights manager.
ent DRM) system 32, which is licensed when the user requests to render a piece of digital content 12 and whether the user has a license 16 to render the digital content 12 as requested. And enable the acquisition of that license 16 if necessary, and license 1
6 determines whether the user has the right to play the digital content 12 and, if the user has the right according to its license 16, decrypts the digital content 12 for rendering purposes. In the following, a DR located on the user's computing device 14 and related to the architecture 10
The contents and functions of the M system 32 will be described.

DRM System 32 The DRM system 32 uses the architecture 10 disclosed herein to perform four main functions. That is, (1) content acquisition, (2) license acquisition, (3) content rendering, and (4) installation / update of the black box 30. Of course, it will be appreciated that some of these functions require that the digital content 12 has already been acquired, but preferably any function can be performed at any time. ing.

DRM System 32-Content Acquisition The acquisition of digital content 12 by the user and / or the user's computing device 14 is typically a relatively simple matter, involving the encrypted digital content 12. It is common practice to place the files that are present on the user's computing device 14. Of course, the architecture 10 and DRM system 32 disclosed herein are
To handle encrypted digital content 12
Is a digital package 12p as described below.
Like its architecture 10 and DRM system 32
It must be in a manageable form.

As will be appreciated, digital content 12 may be, without departing from the spirit and scope of the present invention.
It is possible to obtain the content server 22 directly or indirectly by any method. For example, the digital content 12 may be downloaded from a network such as the Internet, placed on an obtained optical disk or magnetic disk, received as a part of an email message, or from an electronic bulletin board or the like. It is also possible to download.

Digital content 12 after being acquired
Preferably, the retrieved digital content 12 is stored in a form that is accessible by the DRM system 32 and the rendering application 34 (described below) running on the computing device 14. For example, digital content 12
Can be stored as a file on the hard disk (not shown) of the user's computing device 14 or on a network server side that can access the computing device 14. When the acquired digital content 12 is put in an optical disc, a magnetic disc, or the like, the disc only needs to be put in a corresponding drive (not shown) connected to the user's computing device 14. .

In the present invention, the digital content 12 is
The direct delivery source can be obtained from the content server 22 and the indirect delivery source can be obtained from an intervening source without any special tool. That is, what is desired is that the digital content 12 be as easily retrieved as any other data file. However, the DRM system 32 and / or the rendering application 34 may include an interface that facilitates a user in obtaining the digital content 12. For example, the interface may be a Web browser specially designed to find the digital content 12, a predefined Internet known to be the source of the digital content 12.
There are links to websites, etc.

DRM System 32-Content Render
5 , Part 1 Referring now to FIG. 5, in one embodiment of the invention, encrypted digital content 12 is delivered to, received by, and stored by a user.
Assuming it has been placed on the computing device 14 by the user in the form of
By executing some variant of the render command, the digital content 12
(Step 501).
For example, the rendering command may be embodied as a request to "play" or "open" the digital content 12. For example, MICROSOFT (Red
In some computing environments, such as the "MICROSOFT WINDOWS®" operating system provided by mond, Washington), this play or open command will
It can be as simple as "clicking" on the icon representing 2. Of course, this rendering command could be implemented in other forms without departing from the spirit and scope of the invention. In general, this rendering command can be considered to be executed when the user directs the file containing the digital content 12 to be opened, run, and executed.

Importantly, further, this rendering command
It can be embodied as a request to copy the digital content 12 to another form, such as an audio form. As will be appreciated, the same digital content 12 can be rendered in one form, such as on a computer screen, and then rendered in another form, such as a printed document. In the present invention, each type of rendering is performed only if the user has the right to do so, as described below.

In one embodiment of the invention, the digital content 12 is in the form of a digital file with the filename ending in an extension, and the computing device 14 launches a particular rendering application 34. You can decide whether to use the extension or not. For example, if the file name extension indicates that the digital content 12 is a text file,
The rendering application 34 is MICROSOFT (R
It's a kind of word processor, like the "MICROSOFT WORD" from edmond, Washington). Similarly,
Digital content 12 is audio, video, and
If the filename extension indicates that the file is a / or multimedia file, the rendering application 34 may use MICROSOFT (Redmond, Washin
It is a kind of multimedia player like "MICROSOFT MEDIA PLAYER" provided by gton).

Of course, other methods of determining a rendering application are possible without departing from the spirit and scope of the present invention. As one example, the digital content 12 contains metadata
(meta-data) (that is, the header information described above) can be stored in a non-encrypted format, and the metadata is related to the type of the rendering application 34 required to render the digital content 12. There is information.

Preferably, the rendering application 34 examines the digital content 12 associated with the file name and determines if the digital content 12 is rights protected encrypted (steps 503, 505). If it is not protected, the digital content 12 will be rendered comfortably thereafter. If protected, the rendering application 34 determines from the encrypted digital content 12 that the DRM system 32 is required to play the digital content 12. Therefore, this rendering application 34 is based on the DRM system 32.
To the user's computing device 14 (step 509). Next, the rendering application uses the DRM system 32
To decrypt the digital content 12 (step 511). As detailed below,
The DRM system 32 actually decrypts the digital content 12 only if the user has a valid license 16 for the digital content 12 and the right to play the digital content 12 according to the license rules of the valid license 16. Is. Preferably DR
When the M system 32 is called by the rendering application, the DRM system 32 controls from the rendering application 34, at least for the purpose of determining whether the user has the right to play that digital content 12. Is received (step 513).

DRM System 32 Components In one embodiment of the present invention, returning to FIG.
The M System 32 is a license evaluator.
evaluator: license evaluation device) 36, black box 30, license store (license storage device) 3
8 and a state store (state storage device) 40.

Components of DRM System 32-La
License Evaluator 36 The license evaluator 36 specifically locates one or more licenses 16 corresponding to the requested digital content 12, determines if the license is valid, and reviews the license rules for that valid license. Then, it is determined based on the reviewed license rule whether the requesting user has the right to render the requested digital content 12 as requested. As will be appreciated, the license evaluator 36 is a trusted component in the DRM system 32. As used herein, the term "trusted" means that the trusted element fulfills the wishes of the owner of the digital content 12 in accordance with the rights statement of the license 16 and for any purpose, whether the user is unlawful or not. Convincing the license server 24 (or other trust element) that the trusted element cannot be easily modified.

The license evaluator 36 ensures that the license evaluator 36 actually evaluates the license 16 correctly, and the license evaluator 3
6 must be trusted to ensure that it has not been illegally altered or modified by the user for the purpose of bypassing the actual evaluation of license 16. Therefore,
The license evaluator 36 runs in a protected or protected environment in a manner that denies a user access to the license evaluator 36. Of course, other safeguards may be employed in connection with license evaluator 36 without departing from the spirit and scope of the present invention.

Components of DRM System 32
Rack Box 30 Mainly, as described above, the black box 30 is
Performs encryption and decryption functions in DRM system 32. Specifically, the black box 30 works with the license evaluator 36 to decrypt and encrypt certain information as part of the license evaluation function. Further, when the license evaluator 36 determines that the user surely owns the right to render the requested digital content 12 as requested, the decryption key (KD) of the digital content 12 is stored in the black box 30. Given, Black Box 30
Performs the function of decrypting the digital content 12 based on the decryption key (KD).

The black box 30 is also the DRM system 3
It is a trusted component in 2.
Specifically, the license server 24 trusts that the black box 30 performs the decryption function only in accordance with the license rules of the license 16, and at the same time the black box 30 is used by the user for malicious purposes to bypass the actual evaluation of the license 16. You must trust that the black box 30 does not work when it is illegally altered or modified by. Therefore, the black box 30 is also implemented in a protected or protected environment in a manner that denies the user access to the black box 30. Again, it should be understood that other safeguards may be employed in connection with license evaluator 36 without departing from the spirit and scope of the present invention. Preferably, like the content server 22 and the license server 24, the black box 30 in the DRM system 32 has a unique public / private key bear (PU-B).
B, PR-BB), which evaluates license 16 and digital content 12 as described in detail below.
It is used as part of the process of obtaining a decryption key to decrypt the.

DRM System 32 Components-La
License store 38 The license store 38 stores the license 16 received by the DRM system 32 to obtain the corresponding digital content 12. The license store 38 itself only stores the licenses 16, and each of the licenses 16, as described below,
It doesn't have to be trusted as the trusted components are already built into it. In one embodiment of the invention, the license store 38 is merely a subdirectory of a drive such as a hard disk drive or network drive. However, license store 38 may be embodied in other forms as long as it performs the function of storing license 16 in a location that is relatively convenient for DRM system 32 without departing from the spirit and scope of the present invention. Is.

Components of DRM System 32
Tate Store 40 The state store 40 is the license 16 that is currently or previously placed in the license store 38.
Execute the function to save the state information corresponding to. This state information is created by the DRM system 32 and stored in the state store 40 when needed.
For example, if a particular license 16 allows rendering of one corresponding piece of digital content a predetermined number of times, the state store 40 may indicate how many times the license 16 has actually been rendered. Save state information. The state store 40 stores the information about the license 16 that does not remain in the license store 38 as it is, deletes the license 16 from the license store 38, and then stores the corresponding state information.
This prevents situations where it would be advantageous to obtain the same license 16 in an attempt to remove it from scratch.

The state store 40 also needs to be trusted to ensure that the information stored therein is not reset to a state that is more beneficial to the user. Therefore, the state store 40 is also running in a protected or protected environment, denying the user access to the state store 40.
Again, without departing from the spirit and scope of the invention,
Of course, other safeguards can be adopted for the state store 40. For example, the state store 40
Can be stored in encrypted form on the computing device 14 by the DRM system 32.

DRM System 32-Content Render
Ring, back to Part 2 5, the explanation is once more content rendering, in one embodiment of the present invention, the DRM system 32 receives control from the calling rendering application 34, the DRM system 32,
Initiate the process of determining whether the user has the right to render the requested digital content 12 as desired. Specifically, the DRM system 32 is valid, and the license 16 to be used is searched for from the license store (steps 515 and 517).
Alternatively, an attempt is made to acquire a valid and licensed license 16 from the license server 24 (that is, the license acquisition function described below is executed as shown in FIG. 8).

As a first step, as shown in FIG. 7, the license evaluator 36 of the DRM system 32 checks if there is one or more received licenses 16 corresponding to the digital content 12. For this purpose, the license store 38 is checked (step 601). As a typical example, license 16
Is in the form of a digital file, as described below, but it should be understood that the license 16
Can take on other forms without departing from the spirit and scope of the invention. As a typical example, the user receives the digital content 12 without the license 16, but again, as will be appreciated, the digital content 12 is not departing from the spirit and scope of the present invention.
May be received with the corresponding license 16.

As described above with reference to FIG. 3, each digital content 12 includes the content ID (or package ID) that identifies the digital content 12 (or package 12p) and the encrypted digital content 12. It is included in package 12p with a key ID that identifies the decryption key (KD) to decrypt. Preferably, the content ID (or package ID) and key ID are in unencrypted form. Therefore, specifically, based on the content ID of the digital content 12, the license evaluator 36 searches the license store 38 for a license 16 having an ID adaptable to the content ID. In addition, in particular, the owner of the digital content 12 specifies a plurality of types of licenses 16 for the digital content 12, and the user has a plurality of licenses 16.
If the license has been acquired, a plurality of licenses 16 may be found. In fact, the license evaluator 3
When D6 does not find the license 16 corresponding to the requested digital content 12 in the license store 38, the DRM system 32, as described below,
The license acquisition function (step 519 in FIG. 5) will be executed.

In the following, the DRM system 32 is required to render a piece of digital content 12 and one or more corresponding licenses 1
6 is present in the license store 38. In one embodiment of the present invention, the license evaluator 36 of the DRM system 32 then
Processing for determining whether the license 16 itself is valid (steps 603 and 60 in FIG. 7).
5). Preferably, specifically, each license 16 is
It includes a digital signature 26 based on the content 28 of the license 16. As will be appreciated, the digital signature 26 will not match the license 16 if the content 28 has been illegally altered or modified.
Accordingly, the license evaluator 36 can determine, based on the digital signature 26, whether the content 28 is in the form received from the license server 24 (that is, valid). If the valid license 16 is not found in the license store 38, the DRM system 32 obtains the valid license 16 by executing the license acquisition function described below.

If one or more valid licenses are found, then for each valid license, the license evaluator 36 of the DRM system 32.
Then determines whether the valid license gives the user the right to render the corresponding digital content 12 as desired (ie, is it licensed) (steps 607 and 609). Specifically, the license evaluator 36 determines whether or not the requesting user has the right to play the digital content 12 requested by the requesting user, based on the right description of each license 16, and how the user can play the digital content 12. Make a decision based on what you are trying to handle. For example, the rights description is provided by the user to the digital content 12
May be allowed to render into a sound, but not into a decrypted digital copy.

As will be understood, each license 1
The rights description of 6 determines whether the user has the right to play the digital content 12, based on several factors: who the user is,
It defines based on where the user is, what type of computing device 14 the user is using, what rendering application 34 is calling the DRM system 32, date, time, etc. Further, the right description may limit the license 16 to a predetermined number of plays or a predetermined play time, for example. In such cases, the DRM system 32
State information about the license 16 (ie, how many times the digital content 12 was rendered,
It is necessary to refer to (eg, the total amount of time the digital content 12 has been rendered), in which case that state information is available on the user's computing device 14 side.
It is stored in the state store 40 of the DRM system 32.

Accordingly, the license evaluator 36 of the DRM system 32 reviews the rights description of each valid license and determines whether the valid license 16 gives the user the required rights. The license evaluator 36 may then have to refer to other data specific to the user's computing device 14 to determine whether the user has the required rights. As shown in FIG. 4, such data includes the ID 42 of the user's computing device (machine) 14 and its specific aspect, the user's ID 44 and its specific aspect, the ID of the rendering application 34 and its specific aspect, the system clock. There are 46 etc. If no valid license 16 is found that gives the user the right to render the digital content 12 as requested, the DRM system 32 will obtain a license as described below if the license 16 is actually obtainable. The function 16 can be executed and its license 16 can be obtained.

Of course, in some cases, the user renders the digital content 12 as requested, because in some cases the content owner of the digital content 12 has actually instructed to grant the right. You may not be able to acquire the right. For example, the content owner of the digital content 12 may indicate that the user does not grant a license 16 that allows the user to print a text document or copy a multimedia presentation to a non-encrypted form. . In one embodiment of the invention, the digital content 12
Contains data on what rights are available at the time the license 16 is purchased and the available licenses 1
It contains data for 6 types. However, it should be understood that the content owner of one digital content 12 may change the rights currently available for that digital content 12 at any time by changing the license 16 available for that digital content 12. You can

DRM System 32-Obtaining a License Next, with reference to FIG. 8, the license evaluator 36 is actually valid and licensed corresponding to the requested digital content 12. When the license cannot be found in the license store 38, the DRM system 32 can perform the function of obtaining the license. As shown in FIG. 3, each digital content 12 is packaged in a non-encrypted form with information regarding how to obtain a license 16 for rendering that digital content 12 (ie, license acquisition information). There is.

In one embodiment of the present invention, this license acquisition information includes (especially) available license 16
, And one or more Internet websites or other site information from which one or more applicable license servers 24 can be accessed, where each license server 24 is, in effect,
It has the ability to issue a license 16 corresponding to the digital content 12. Of course, license 16 may be used without departing from the spirit and scope of the invention.
It can be obtained by other methods. For example, the license 16 is in the form of a file placed on a magnetic disk, an optical disk, or the like, and can be obtained from the license server 24 from an electronic bulletin board, the person himself / herself, or an ordinary mail.

The location for obtaining the license 16 is actually the license server 2 on the network.
4 is the license evaluator 36,
After establishing a network connection with the license server 24 based on the website or other site information, a request for the license 16 is transmitted from the connected license server 24 (steps 701, 70).
3). Specifically, when the DRM system 32 contacts the license server 24, the DRM system 32
The corresponding license request information 36 is transmitted to the license server 24. In one embodiment of the present invention, the request information 36 of the license 16 includes the following, among others.

The public key (PU-BB) of the black box 30 of the DRM system 32, the version number of the black box 30 of the DRM system 32, the digitally signed certificate from the certification authority,
Proof of the black box 30 (this certificate may actually include the public key and version number of the black box 30), Digital Content 12 (or Package 12).
p) identifying the content ID (or package I)
D),-the key ID identifying the decryption key (KD) that decrypts the digital content 12, -the type of license requested (in practice, if more than one is available), and / or- Other.

Of course, without departing from the spirit and scope of the present invention, the amount of license 16 request information 36 sent by the DRM system 32 to the license server 24 may be more or less. It is also possible to do so. For example, information about the type of rendering application 24 may not be needed, while additional information about the user and / or the user's computing device 14 may be needed.

The license server 24 is the DRM system 32.
Upon receiving the request information 36 of the license 16 from the license server 24, the license server 24 receives the trust / authentication ratio (trust / authenticatio).
n) Checks and checks for other purposes can be performed.
In one embodiment of the invention, the license server 24
Checks the digitally signed certificate of the certification authority,
It is determined whether it has not been illegally altered or modified (steps 705, 707). If it is altered or modified, the license server 24 rejects all licenses of the license 16 based on the request information 36. The license server 24 may also store a list of known "illegal" users and / or known computing devices 14 of the user, so that the rogue users and / or user's computing on that list may be preserved. All license grants based on requests from device 14 can be denied. This "rogue" list can be compiled in any way without departing from the spirit and scope of the invention.

Based on the received request and the information related to the request, specifically, the content ID (or package ID) in the license request information, the license server 24 causes the content key database 20 (FIG. 1). To find the digital content 12 that is the basis of the request
The record corresponding to (or package 12p) can be found. As mentioned above, that record is
Decryption key (KD), key ID, for digital content 12
And contains the content ID. Further, this record can also include license data regarding the type of license 16 issued for the digital content 12, and terms and conditions for each type of license 16. Alternatively, this record may contain a pointer, link, or reference to the location where the additional information is located.

As described above, a plurality of types of licenses 16 can be prepared. For example, if the license fee is relatively small, it is possible to prepare the license 16 with a limited number of renderings. If the license fee is relatively high, a license 16 that allows unlimited rendering until the expiration date can be prepared. If the license usage fee is higher, a license 16 that allows unlimited rendering indefinitely (no expiration date) can be prepared. Without departing from the spirit and scope of the present invention, almost any type of license with arbitrarily defined license terms can be devised and issued to the license server 24.

In one embodiment of the invention, license 16
Is requested using a Web page or the like transmitted from the license server 24 to the user's computing device 14. This web page is preferably the digital content 1 on which the license 16 is based.
2 includes information about all types of licenses 16 provided by the license server 24.

In one embodiment of the invention, license 16
The license server 24 checks the version number of the black box 30 prior to the issuance of the
t) is determined (steps 709, 71)
1). As you will understand, black box 30
Is intended to be secure and protected against attacks by users with malicious intent (ie, illegally rendering digital content 12 without a license 12 or deviating from the terms of the corresponding license 16). I am trying. However, as will be appreciated, no system, no software device, is in fact completely secure from such an attack.

As will be understood, if the black box 30 is relatively latest, that is, if the black box 30 has been acquired or updated relatively recently, the black box 30 is a malicious user. Will be attacked by and will be less likely to succeed. Preferably, as a matter of credit, when the license server 24 receives a license request with request information 36 containing the version number of the black box 30 that is relatively out of date, that license server 24 will be described below. As such, it refuses to issue the requested license 16 until the corresponding black box 30 is upgraded to the current version. Briefly, the license server 24 will not trust a black box 30 unless it is relatively up to date.

In the context of the black box 30 of the present invention, the term "current" or "relatively current" may be used in its age or usage without departing from the spirit and scope of the present invention. It is used in a sense consistent with the function of trusting the black box 30 based on the number of years. For example, "latest" is
It can be defined according to the number of years passed (that is, more than one month has passed). As another example, “latest” may be defined based on the number of times the black box 30 has decrypted the digital content 12 (ie, 200 or more decryptions have been performed). Furthermore, the "latest" can also be based on the policy set by each license server 24, in which case one license server 24
Can define "latest" differently than another license server 24. Moreover, the license server 24 can, among other things, be responsive to or requested by the digital content 12 on which the license 16 was requested. It is also possible to define differently "latest" depending on the type of license 16.

If the black box 30 is the latest one, the license server 24 determines that the black box 30
If the license server 24 is satisfied with the version number and other indexes, the license server 24 will proceed to negotiate with the user the terms and conditions of the license 16 (step 713). Alternatively, the license server 24 may negotiate with the user for the license 16 and then be satisfied with the version number of the black box 30 that the black box 30 is up to date (ie, perform step 713). Then, step 711 is executed). Of course, how much negotiation is done depends on the type of license 16 issued and other factors. For example, the license server 2
If 4 only issues a paid unlimited use license 16, negotiating is negligible. On the other hand, the license 16 has variable price, sliding scales, and breaking points.
If it is based on an item such as nt) or other item, the item and item can be resolved between the license server 24 and the user before the license 16 is issued.

As will be understood, in some circumstances, in license negotiations, the user may have different information (eg,
Information about the user, the user's computing device 14, etc.) may need to be provided to the license server 24. It is important to note that in license negotiations, the user and the license server 24, among other things, are mutually agreed payment methods (credit account, debit account, postal check, etc.) and / or payment methods (immediate payment, grace payment for a period of time, etc.). ) Will also need to be determined.

When all the terms of the license 16 have been negotiated and agreed by both the license server 24 and the user (step 715), the digital content 16 is generated by the license server 24 (step 71).
5), where the generated license 16 is, at least in part, a license request, a black box 30
Public key (PU-BB) and the decryption key (KD) for the digital content 12 underlying the request, which is retrieved from the content key database 20. In one embodiment of the present invention, as shown in FIG. 9, the generated license 16 includes:

The content ID of the digital content 12 to which the license 16 applies, the digitization rights license (DRL) 48 (ie the license 16 written in a predetermined format that can be examined by the license server 36). Rights statement or actual terms and conditions). It is probably encrypted with a decryption key (KD) (that is, KD (DRL)). The decryption key (KD) for the digital content 12 encrypted with the public key (PU-BB) of the black box 30 received in the license request (ie (PU-BB (K
D)),-(KD (DRL)) and (PU-BB (KD)), the license server 2 encrypted with the private key of the license server 24.
Digital signature from 4 (no accompanying certificate) (ie (S (PR-LS))), and-a certificate previously obtained by the license server 24 from the content server 22. This certificate indicates that the license server 24 has the authority to issue the license 16 from the content server 22 (that is, (CER
T (PU-LS) S (PR-CS))).

As will be appreciated, the elements described above, and possibly other elements, are packaged in digital files or other relevant features. Also, as will be understood, if the DRL 48 or (PU-BB (KD)) in the license 16 is illegally altered or modified, the digital signature in the license 16 may be changed.
(S (PR-LS)) does not match, so you will invalidate the license. For the above reasons, the DRL 48 is not necessarily in the encrypted form (that is, (KD (DRL)), as described above.
Does not have to be. It should be noted that this encryption format may be desirable in some cases, and can be employed without departing from the spirit and scope of the present invention.

When the digital license 16 is prepared,
The license 16 is issued to the requesting side (that is, the DRM system 32 of the user's computing device 14 side) (step 719 in FIG. 8). Preferably, the license 16 is sent using the same path as the request was made (ie, the Internet or another network), but may take another path without departing from the spirit and scope of the invention. It is also possible to use. Upon receiving the license 16, the requesting DRM system 32 preferably automatically places the received digital license 16 in the license store 38 (step 72).
1).

As will be appreciated, the user's computing device 14 may malfunction, at which time the user's computing device 1
The license 16 stored in the license store 38 of the 4-side DRM system 32 may be irreversibly lost. Therefore, it is preferable that the license server 2
4 stores the database 24 of issued licenses 16 (FIG. 1), and if the user actually has the right to reissue, the license server 24 copies or reissues the issued license 16. (Hereinafter referred to as “reissue”) is to be given to the user. As described above, when the license 16 is lost irreversibly, it is stored in the state store 40,
It may happen that the state information corresponding to the license 16 is lost. The lost state information should be taken into consideration when the license 16 is reissued. For example, a license 16 that limits the number of renderings may be pro-rated after a relatively short period of time.
rm), but will not be reissued at all after a relatively long period of time.

DRM System 32-Black Box 3
0 Installation / Upgrade As described above, as a part of the function of obtaining the license 16, the license server 24 is not relatively up-to-date with the DRM system 32 of the user's computing device 14, that is, the version. When the black box 30 having a relatively old number is installed, the request for the license 16 from the user may be rejected. In such cases, it is preferable to upgrade the black box 30 of that DRM system 32 so that the licensing function can proceed. Of course, the black box 30 may be upgraded at times other than those described above without departing from the spirit and scope of the present invention.

Preferably, a non-unique lite 'version (shortened version) of the black box 30 is provided as part of the process of installing the DRM system 32 on the user's computing device 14. This shortened black box 30 is upgraded to a unique legal version before rendering a piece of digital content 12. As will be understood, if each black box 30 placed in each DRM system 32 is unique, a certain black box 30
Even if a security breach occurs, it is easy to prevent the same thing from happening in other black boxes 30.

Next, referring to FIG. 10, the DRM will be described.
The system 32 obtains it by requesting a unique black box 30 such as the black box 26 (as described above with reference to FIG. 1) (step 901). Typically, this request is made over the Internet, although other means of access may be employed without departing from the spirit and scope of the invention. For example, the connection with the black box server 26, whether local or remote, can be a direct connection. One unique non-short version (lite) black box 30 to another unique non-short version black box 30
An upgrade to can be requested at any time by the DRM system 32, such as when the license server 24 determines that the black box 30 is out of date, as described above.

After that, the black box server 26
Creates a new unique black box 30 (step 903). As shown in FIG. 3, each new black box 30 has a version number and a digitally signed certificate from a certification authority. As described above regarding the license acquisition function, the version number of the black box 30 indicates its relative age and / or usage years. As described above with respect to the license acquisition function, the digital certificate signed by the certification authority is stored in the black box 3 by the license server 24.
It is a mechanism for the certification authority to offer or guarantee that it trusts 0. Of course, the license server 24 must trust the certification authority to issue the certificate to the actually trusted black box 30. In practice, it is possible that the license server 24 does not trust a particular certification authority and refuses to trust any certificate issued by that certification authority. For example, if a particular certification authority is found to be involved in a fraudulent certificate issuing pattern, it will not be trusted.

Preferably, as mentioned above, the black box server 26 will add a new unique public / private key pair to the newly created unique black box 30.
(PU-BB, PR-BB) is incorporated (step 903 in FIG. 10). Preferably, the private key of the black box 30
(PR-BB) is accessible only to the black box 30 and has the black box 30.
It is hidden and inaccessible from other sources, including the computing device 14 in which the DRM system 32 is located and its user.

Almost any hiding scheme
However, as long as the concealment method actually has a function of making the private key (PR-BB) invisible to the outside, it can be adopted without departing from the spirit and scope of the present invention. As an example, the private key (PR-BB) can be split into several sub-components, and each sub-component can be uniquely encrypted and stored in separate locations. In that case, the preference is not to have the entire private key (PR-BB) available when these entire sub-components are combined.

In one embodiment of the invention, this private key (PR
-BB) is encrypted according to the code-based encryption method. Specifically, in this embodiment, the actual software code of the black box 30 (or other software code) is adopted as the encryption key. Therefore, if the code (or other software code) in the black box 30 is illegally altered or modified by, for example, a malicious user, this private key (PR
-BB) becomes undecipherable.

Each of the new black boxes 30 is sent together with a new public / private key pair (PU-BB, PR-BB), which is a new DRM on the user's computing device 14 side. Old release from old black box 30 previously sent to system 32 /
The private key pair is also preferably accessible (step 905). Therefore, the upgraded black box 30 will still use the old key pair to access the old digital content 12 generated according to the old key pair and the corresponding old license 16, as will be described in detail below. Is possible.

The black box server 26 is preferable.
The upgraded black box 30 sent by is tightly coupled to or associated with the user's computing device 14. As such, the upgraded black box 30 is incapable of being operably transferred between multiple computing devices 14 for malicious or other purposes. In one embodiment of the invention, as part of the request to the black box 30 (step 901), the DR
The M system 32 is unique to the DRM system 32 and
Hardware information specific to the user's computing device 14 is provided to the black box server 26.
To the DRM system 32 based on some of the hardware information provided.
To generate a black box 30. Upgraded black box 30 generated in this way
Is the DRM of the user's computing device 14 side
It is sent to the system 32 and installed (steps 907 and 909). When the upgraded black box 30 is transferred to another computing device 14 in some way, the transferred black box 30 is transferred to the other computing device 14.
, The requested rendering is not intended for that user's computing device 14
Will not allow what is done above.

The new black box 30 is the DRM system 3
When installed on 2, the DRM system 32
You can proceed to the license acquisition function or other functions.

DRM System 32-Content Render
Ring, Part 3 Next, referring to FIG. 6, where to find the license evaluator 36 is at least one valid license 16, at least one of the valid license 16, obtains the corresponding digital content 12 Assuming that the user has been given the necessary rights to render as per (i.e., licensed), the license evaluator 36 selects one of the licenses 16 to be used thereafter (step 519). . Specifically, in order to render the requested digital content 12, the license evaluator 36 and the black box 30 jointly obtain a decryption key (KD) from the license 16, and the black box 30 receives the decryption key.
Decrypt the digital content 12 using (KD).
In one embodiment of the present invention, as described above, the decryption key (KD) obtained from the license 16 is the black box 3
It is encrypted using the public key of 0 (PU-BB (KD)), and the black box 30 uses its private key (PR-BB) to decrypt the encrypted decryption key and the decryption key (KD ) Is obtained (steps 521 and 523). However, without departing from the spirit and scope of the present invention, the decryption key for digital content 12
(KD) can be obtained by other methods.

The black box 30 obtains the decryption key (KD) of the digital content 12 and the digital content 12
License permission to render evaluator 3
Control is returned to the rendering application 34 (steps 525, 52).
7). In one embodiment of the present invention, upon receiving control, the rendering application 34 calls the DRM system 32 / black box 30 and decrypts the key (KD).
At least a portion of encrypted digital component 12 is sent to black box 30 for decryption according to (step 529). The black box 30 decrypts the digital content 12 based on the decryption key (KD) of the digital content 12, and then the black box 3
0 returns the decrypted digital content 12 to the rendering application 34 for the actual rendering (steps 533, 535). The rendering application 34 sends at least a portion of the encrypted digital content 12 or the entire digital content 12 to the black box 30 without departing from the spirit and scope of the present invention, and decrypting the digital content 12 with a decryption key.
Decryption can be done based on (KD).

Preferably, when the rendering application 34 sends the digital content 12 to the black box 30 for decryption, the black box 30 and / or the DRM system 32 authenticates the rendering application 34, which causes the DRM system 32 to authenticate. Make sure it is the same as the rendering application 34 originally requested to run (step 53).
1). Otherwise, the rendering request may be based on one type of rendering application, but in reality rendering by another type of rendering application may result in unauthorized acquisition of rendering authorization. If this authentication is successful and the digital content 12 has been decrypted by the black box 30, the rendering application 34 will be able to render the decrypted digital content 12 (steps 533, 53).
5).

Key Transaction Sequence Referring now to FIG. 11, in one embodiment of the present invention, the key transaction sequence is a decryption key.
It is performed to obtain (KD) and evaluate the license 16 of the requested digital content 12 (that is, steps 515-523 of FIGS. 5 and 6 are performed). Mainly in this sequence, the DRM system 32
Obtains the decryption key (KD) from the license 16, uses the information obtained from the license 16 and the digital content 12 to authenticate or confirm the validity of both, and then, as requested by the license 16. Determine if it does give the right to render the digital content 12. If so, digital content 12
Will be able to render.

It should be noted that the digital contents 1
Each license 16 for 2 is to include the following, as shown in FIG. -Digital content 1 to which the license 16 is applied
Content ID of 2 – Probably Digital Rights License (DRL) encrypted with a decryption key (KD)
(That is, KD (DRL)),-the decryption key of the digital content 12 encrypted with the public key (PU-BB) of the black box 30 (that is, (PU-
BB (KD))-A digital signature from the license server 24, which is encrypted with the private key of the license server 24 based on (KD (DRL)) and (PU-BB (KD)) ( That is,
(S (PR-LS))), and-the certificate that the license server 24 previously obtained from the content server 22 (ie (CERT (PU-LS) S (PR-
CS))).

Furthermore, it should be noted that the package 12P having the digital contents 12 includes the following, as shown in FIG. -Content ID of the digital content 12, -Digital content 12 encrypted with KD (that is, (KD) (CONTENT)),-Unencrypted license acquisition script, and-Public key of content server 22 (PU -CS) encryption key KD, which is the secret key (PR
-CS) signed (that is, (KD (PU-CS) S (PR-C
S))).

With the above considerations in mind, in one embodiment of the invention, the particular key transaction sequence performed for a particular license for digital content 16 is as follows:

1. From license 16 (PU-BB (KD))
Based on the user's computing device 14
The black box 30 of the DRM system 32 on the side is (KD)
The secret key (PR-BB) is applied to obtain (step 1001). (PR-BB (PU-BB (KD)) = (KD). The important thing here is that the black box 30 goes to the next
, You can use digital content 12
Can be deciphered. However, again, it is important that the license server 24 trusts the black box 30 not to do so. This trust is established when the license server 24 issues the license 16 based on a certificate from a certification authority that guarantees that the black box 30 is trustworthy. Therefore, the black box 30
Decryption key (KD) as an initial step instead of a final step
Notwithstanding that, the DRM system 32 continues to perform all validation and evaluation functions of the license 16, as described below.

2. (KD (P (P
U-CS) S (PR-CS)) based on black box 30
To obtain (PU-CS), the newly obtained decryption key (K
Apply D). (KD (KD (PU-CS)) = (PU-CS)). Furthermore, the black box 30 can apply (PU-CS) to the signature (S (PR-CS)) and can be convinced that the signature and its digital content 12 / package 12p are valid. (Step 1005). If not valid, the process is aborted and access to the digital content 12 is denied.

3. From license 16 (CERT (PU-LS)
S (PR-CS)), the black box 30 receives the newly acquired public key of the content server 22 (PU-CS).
Is applied and the certificate is valid (step 1007). This means that the license server 24 that issued the license 16 has obtained the right to do so from the content server 22. After that, the black box 30 inspects the certificate contents
(PU-LS) is obtained (step 1009). If not valid, the process is aborted and access to the digital content 12 under the license 16 is denied.

4. On the basis of (S (PR-LS)) from the license 16, the black box 30 applies the newly acquired public key (PU-LS) of the license server 24 to validate the license 16. Be convinced that (step 1
011). If not valid, the process is aborted and access to the digital content 12 under the license 16 is denied.

5. All validation steps have been completed successfully and the DRL 48 in the license 16 has indeed the decryption key.
If it is encrypted with (KD), the license evaluator 36 applies the already-obtained decryption key (KD) to (KD (DRL)) obtained from the license 16 to obtain the license 16 (that is, DRL). The license terms are acquired from (step 1013). Of course, step 1013 can be omitted if the DRL 48 in the license 18 is not actually encrypted with the decryption key (KD). Next, the license evaluator 36
Whether the user's computing device 14 has rights under the DRL 48 of the license 16 to evaluate / look up the DRL 48 and render the corresponding digital content 12 as desired (ie,
It is determined whether the DRL 48 permits the use (step 1015). If the license evaluator 36 determines that the right does not exist, the process is aborted and the digital content 12 under the license 16 is terminated.
Access is denied.

6. Finally, as a result of evaluating the license 16, it is determined that the user's computing device 14 has the right under the terms of the DRL 48 to render the corresponding digital content 12 as desired. , The license evaluator 36 informs the black box 30 that the corresponding digital content 12 can be rendered according to the decryption key (KD). After that, Black Box 3
0 is the digital content 12 from the package 12p
Apply the decryption key (KD) to decrypt (that is, (K
D (KD (CONTENT)) = (CONTENT)) (step 1017).

It should be noted here that the above-mentioned series of steps is performed by the license 16 and the digital content 12.
It means to alternate between, that is, to "ping-pong". With this ping-pong, the validity checking and evaluation process is performed only when both the digital content 12 and the license 16 are properly issued and in a valid format, so the digital content 12 is tightly bound to the license 16 ( will be bound). Furthermore, in order to obtain the public key (PU-CS) of the content server 22 from the license 16 and the digital content 12 from the package 12p in decrypted form (and possibly the license terms from the license 16 (DRL 48)). These items are also tightly bound, because the same decryption key (KD) is required to get the in decrypted form). When the validity of the signature is checked, the digital content 12 and the license 16 are identified as the content server 22 and the license server 24, respectively.
Will be kept in the same format as that issued by.
Thus, bypassing the license server 24 makes it difficult, if not impossible, to decipher the digital content 12 and, if not impossible,
It becomes difficult to modify the digital contents 12 or the license 16 and then decrypt the contents.

In one embodiment of the present invention, the signature validity check, in particular the signature validity check of the license 16, is performed alternately as follows. The signature of each license 16 is not encrypted by the private key (PR-LS) of the license server 16, but the signature is a private root key as shown in FIG.
Encrypted by (PR-R) (not shown), in which case
The black box 32 of each DRM system 32 has a public root key (PU-R) (also not shown) corresponding to the secret root key (PR-R). This secret root key (PR-R)
Is known only to the root entity, the license server 24 can issue the license 16 only when the license server 24 makes an arrangement to issue the license 16 with the root entity.

Specifically, in this embodiment: 1. The license server 24 provides its public key (PU-LS) to the root entity. 2. The root entity returns the license server public key (PU-LS) encrypted with the private root key (PR-R) to its license server 24 (ie (CERT (PU-LS)
S (PR-R))). 3. Next, the license server 24 issues the signed license 16 encrypted with the license server private key (S (PR-LS)), and the certificate from the root entity (CE
Attach RT (PU-LS) S (PR-R)) to the license.

Next, the DRM system 18 checks the validity of the issued license 16 by checking the DRM system 1
8 is: 1. Apply the public root key (PU-R) to the attached certificate (CERT (PU-LS) S (PR-R)) to obtain the license server public key.
(PU-LS) 2. Apply the obtained license server public key (PU-LS) to the signature (S (PR-LS)) of the license 16.

The important thing is, of course,
The root entity is a certificate (CERT (PU-LS) S (PR-R))
To the license server 24 so that the license server 24 is authorized to issue the license 16.
License server 24 by providing a similar certificate (ie, (CERT (PU-LS2) S (PR-LS1)) to another license server 24 in the same manner as This means that the license server can also issue the license 16. As is apparent from the above, the license 16 issued by another license server.
Will include the first certificate (CERT (PU-LS) S (PR-R)) and the second certificate (CERT (PU-LS2) S (PR-LS1)). Similarly, this license 16 is checked for validity by following a chain through the first and second certificates. Of course, it is possible to add another link to the chain and pass it through.

One advantage of the signature verification process described above is that the root entity changes the private root key (PR-R) on a regular basis so that each license server 24 also receives a new certificate (CERT) on a regular basis. (PU-LS) S (PR
-R)) can be requested. the important thing is,
A requirement for getting a new certificate (CERT (PU-LS) S (PR-R)) is that each license server can be required to upgrade itself. As with the black box 30, if the license server 24 is relatively up-to-date, that is, it has been upgraded relatively recently, the probability of successful attacks on the license server 24 is low. Therefore, as a matter of trust, it is preferable to require each license server 24 to periodically upgrade through an appropriate upgrade trigger mechanism, such as a signature verification process. Of course, other upgrade mechanisms may be employed without departing from the spirit and scope of the invention.

As a matter of course, the secret root key (PR-
When R) is changed, the public root key (PU-R) in each DRM system 18 must also be changed. This change can be performed, for example, during the normal black box 30 upgrade period, but in practice, the black box 30 can be requested to be upgraded.
The modified public root key (PU-R) is the old private root key
(PR-R) may interfere with the signature verification of the old license 16 issued under (PR-R), which may cause the upgraded black box 30 to remember all old public root keys (PU-R). If set to, it will be minimal.
Alternatively, this hindrance may be due to, for example, the license 16 being the license evaluator 3 of the DRM system 18.
When first evaluated by 6, the signature verification of license 16 can also be minimized by requiring it only once. In such cases, the state information about whether signature verification was done needs to be compiled,
The state information needs to be stored in the state store 40 of the DRM system 18.

Digitization Rights License 48 In the present invention, the license evaluator 36 uses the Digital Rights License DRL 4
8 is evaluated as a rights statement or clause of the license 16 to determine if its DRL 48 allows the corresponding single digital content 12 to be rendered as desired. In one embodiment of the invention, DR
The L 48 can be written in any DRL language by the licensor (ie the content owner).

As will be appreciated, there are numerous ways to define the DRL 48. Therefore, a high degree of flexibility must be allowed in any DRL language. However, it is unreasonable to specify all aspects of DRL 48 in a particular licensed language, and it is impossible for the author of that language to understand all the possible aspects that a particular digital licensor wants. Is. In addition, a high level licensing language may not be required, even preventing the licensor from having a relatively simple DRL 48. Nevertheless, the licensors dr
There may be no unreasonable restrictions in the way L 48 is prescribed. At the same time, the license evaluator 38 needs to be able to get answers from the DRL 48 for some specific license questions at any time.

Referring now to FIG. 12, in the present invention, the DRL 48 can be defined in any license language, including a language ID or tag 54. The license evaluator 36 that evaluates the license 16 performs the preliminary steps of reviewing the language tag 54 to identify the language, and then the appropriate license language engine 52 for accessing the license 16 in the identified language. Is selected. As will be appreciated, this licensed language engine 52
Must exist and the license evaluator 36 must be accessible. When not present, the language tag 54 and / or DRL 48 preferably includes a location 56 (typically a web site) for obtaining its language engine 52.

[0133] Typically, the language engine 52 is in the form of an executable file or set of files and is located in the memory of the user's computing device 14, such as a hard drive. The language engine 52 uses the license evaluator 36 to directly perform DRL.
License Evaluator 3 to help look up 48
6 is a language engine 4 acting indirectly as an intermediary.
I am checking DRL 48 through 8. At run time, the language engine 52 executes in a workspace in memory of the user's computing device 14, such as RAM. However, other forms of language engine 52 may be employed without departing from the spirit and scope of the present invention.

Preferably, any language engine 52, any DRL language, at least some specific licenses that the license evaluator 36 expects to be answered by any DRL 48, as described below. Supports questions. Therefore, since the license evaluator 36 is not bound to any particular DRL language, the DRL 48 can be written in any applicable language and the DRL 48 defined in the new license language will have a corresponding new language engine 52 existing. The license evaluator 38 can obtain the license evaluator 36 to use the license evaluator 38.

DRL Language Below is the DRL embodied in each DRL 48.
Two examples of 48 are shown. The first "simple" DRL 4
8 is written in the DRL language specifying license attributes, while the second "script" DRL 48 is DR
Written in the DRL language, which executes functions according to the scrip specified in L48. Although written in the DRL language, the meaning of each line of code should be understood by looking at the language and / or the attribute illustrations that follow.

Simple DRL 48: <LICENSE><DATA><NAME> Playing Beastie Boy </ NAME><ID> 39384 </ ID><DESCRIPTION> Playing the song 3 times </ DESCRIPTION><TERMS></TERMS><VALIDITY><NOTBEFORE> 19980102 23:20: 14Z </ NOTBEFORE><NOTAFTER> 19980102 23:20: 14Z </ NOTAFTER><NALIDITY><ISSUEDDATE> 19980102 23:20: 14Z </ ISSUEDDATE><LICENSORSITE> http: //~rw.foo.com </ LICENSORSITE><CONTENT><NAME> Beastie Boy </ NAME><ID> 392 </ ID><KEYID> 39292 </ KEYID><TYPE> MS Encryption ASF 2.0 </ TTYPE></CONTENT><OWNER><ID> 939KDKD393KD </ ID><NAME> Universal </ NAME><PUBLICKEY></PUBLICKEY></OWNER><LICENSEE><NAME> Arnold </ NAME><ID> 939KDKD393KD </ ID><PUBLICKEY></PUBLICKEY></LICENSEE><PRINCIPAL TYPE == AND =><PRI NCIPAL TYPE == OR =><PRINCIPAL><TYPE> x86 Computer </ TYPE><ID> 3939292939d9e939 </ ID><NAME> Personal Computer </ NAME><AUTHTYPE> Intel Authentication Boot PC SHA-1 DSA512 </ AUTHTY
PE><AUTHDATA> 29293939 </ AUTHDATA></ PRI NCI PAL><PRINCIPAL><TYPE> Application </ TYPE><ID> 2939495939292 </ ID><NAME> Window = s Media Player </ NAME><AUTHTYPE> Authentication code SHA-1 </ AUTHIYPE><AUTHDATA> 93939 </ AUTHDATA></PRINCIPAL></PRINCIPAL><PRINCIPAL><TYPE> Person </ TYPE><ID> 39299482010 </ ID><NAME> Arnold Blinn < / NAME><AUTHTYPE> User Authentication </ AUTHTYPE><AUTHDATA> \\ redmond \ arnoldb </ AUTH DATA></PRINCIPAL></PRINCIPAL><DRLTYPE> Simple </ DRLTYPE> [Language Tag 54] <DRLDATA><START> 19980102 23: 20: 14Z </ START><END> 19980102 23: 20: 14Z </ END><COUNT> 3 </ COUNT><ACTION> PLAY </ ACTION></DRLDATA><ENABLINGBITS> aaaabbbbccccdddd </ ENABLINGBITS></DATA><SIGNATURE><SIGNERNAME> Universal </ SIGNERNAME><SIGNERID> 9382ABK3939DKD </ SIGNERID><HASHALGORITHMID> MD5 </ HASHALGORITHMID><SIGNALGORITHMID> RSA 1 28 </ SIGNALGORITHMID><SIGNAyyy> xxx </ SIGNATURE><SIGNERPUBLICKEY></SIGNERPUBLICKEY><CONTENTSIGNEDSIGNERPUBLICKEY></ CONTENTSIGNEDSIGNE
RPUBLICKEY></SIGNATURE></LICENSE> Script DRL 48: <LICENSE><DATA><NAME> Play Beastie Boy </ NAME><ID> 39384 </ ID><DESCRIPTION> Play unlimited songs </ DESCRIPTION ><TERMS></TERMS><VALIDITY><NOTBEFORE> 19980102 23:20: 14Z </ NOTBEFORE><NOTAFTER> 19980102 23:20: 14Z </ NOTAFTER><NALIDITY><ISSUEDDATE> 19980102 23:20: 14Z </ lSSU EDDATE><LICENSORSITE> http://www.foo.com </ LICENSORSITE><CONTENT><NAME> Beastie Boy </ NAME <ID> 392 </ ID><KEYID> 39292 </ KEYID><TYPE> MS encryption ASF 2.0 </ TTYPE></CONTENT><OWNER><ID> 939KDKD393KD </ ID><NAME> Universal </ NAME><PUBLICKEY></PUBLICKEY></OWNER><LICENSEE><NAME> Arnold </ NAME><ID> 939KDKD393KD </ ID><PUBLICKEY></PUBLICKEY></LICENSEE><DRLTYPE> Script </ DRLTYPE> [Language Tag 54] <DRLDATA> function on_enable (action, args) as boolean result = False if action = "PLAY" then result = True end if on_ action = False end function… </ DRLDATA></DATA><SIGNATURE><SIGNERNAME> Universal </ SIGNERNAME><SIGNERID> 9382 </ SIGNERID><SIGNERPUBLICKEY></SIGNERPUBLICKEY><HASHID> MD5 </ HASHID><SIGNID> RSA 128 </ SIGNID><SIGNATURE> xxxyyyxxxyyyxxxyyy </ SIGNATURE><CONTENTSIGNEDSIGNERPUBLICKEY></ CONTENTSIGNEDSIGNE
RPUBLICKEY></SIGNATURE></LICENSE>

In the two DRLs 48 shown above, the meanings and data types of the attributes listed therein are as follows: Attribute Description Data type id License ID GUID name License name String Content id Content ID GUID Content key id Content encryption key ID GUID Content name Content name String Content type Content type String owner id Content owner ID GUID Owner name Content owner's name String Owner's public key Content owner's public key. String This is the content owner's base64 encoded public key. Licensee id The ID of the person who obtains the license. GUID Nullable. Licensee Name The name of the person who obtains the license. The string can be null. Licensee Public Key Licensee's public key. This is the string licensee's base64 encoded public key. Nullable. Description A simple human-readable string description of the license. Terms The legal terms of the license. This can be a pointer to the web page where the string legal description is located. Invalid After Valid License Expiration Period Date Before Begin Invalid Valid License Start Period Date Issue Date License Issue Date Date DRL Type The type of DRL. String Example: ASIMPLE @ or ASCRIPT @ DRL Data DRL-specific data String enable bits Bits that allow the string to access the actual content. The interpretation of this bit is up to the application, but it is typically the secret key for decrypting the content. This data is base64 encoded. Note: This bit is encrypted using the individual machine's public key. Signer id The ID of the person who signs the license GUID Signer name The name of the person who signs the license String Signer public key The string public key of the person who signs the license. This is base64 encoded. Content Signature Content Server Private Key Signature String Signer Public Key The public key of the person who signs the licensed license. A public key that verifies that the signature is encrypted in the content. This is base64 encoded. Hash Alg Id The string algorithm used to generate the hash. It's a string, like AMD5 @. Signature Alg Id The string algorithm used to generate the signature. This is a string, such as ARSA 128 @. Signature Data signature. String This is base64 encoded data.

Methods As mentioned above, preferred is which language engine 5
No. 2, any DRL language supports at least some specific license questions that the digital license evaluator 36 expects to be answered by any DRL 48. It is understood that the supported questions can include any question without departing from the spirit and scope of the invention and consistent with the terms used in the two DRL 48 examples given above. Cognitively, in one embodiment of the invention, supported questions or "methods" include "access methods,""DRLmethods," and "use-permitted methods," as described below. ing.

Access Method The Access Method is used to query the DRL 48 for top level attributes.

VARIANT QueryAttribute (BSTR key) As valid keys, License.Name, License.Id, Conten
t.Name, Content.Id, Content.Type, Owner.Name, Owner
r.Id, Owner.PublicKey, Licensee.Name, Licensee.I
d, Licensee.PublicKey, Description, and Terms, each returning BSTR mutable data, and Is
There are sued, Validity.Start and Validity.End, each of which returns date variable data.

DRL Method How the following DRL Method is implemented is DRL 4
8 and DRL 48 are different. Many of the DRL methods have a variable parameter named'data ', which is intended to communicate information with a more advanced DRL 48. This exists primarily due to future extensibility.

Boolean IsActivated (Variable Data) This method returns a Boolean indicating whether the DRL 48 has been activated. An example of a license that is activated is an operation restricted license 16 that is activated for 48 hours at the first play.

Activate (Variable Data) This method is used to activate the license 16. Once the license 16 has been activated, it cannot be deactivated.

Variant Query DRL (Variable Data) This method is used to communicate with the more advanced DRL 48. This mainly concerns the future extensibility of the DRL 48 feature set.

Variant GetExpress (BSTR Action, Variable Data) This method returns the license 16 expiration date for the passed action. If the return value is NULL, the license 16 is considered not to expire,
Alternatively, it means that the license 16 has not been activated and therefore has not yet expired.

Variant GetCount (BSTR action, variable data) This method returns the number of remaining operations of the passed action. NU
When LL is returned, the operation can be executed an unlimited number of times.

Boolean IsEnabled (BSTR Action, Variable Data) This method tells whether the license 16 currently supports the requested action.

Boolean IsSunk (BSTR Action, Variable Data) This method tells if the license 16 has been paid. TR when license 16 is prepaid
When the license 16 is not prepaid, like the license 16 where the UE is returned and collects the payment when it is used,
FALSE is returned.

[Enabling Use Method] These methods are used for decrypting the content and license 1.
6 is used to authorize use.

Boolean Validate (BSTR Action) This method is used to validate the license 16. The key passed is the public key (PU-BB) of the black box 30 (that is, (KD (PU-BB))) encrypted with the decryption key (KD) of the corresponding digital content 12, and the license 16 Used in signature validation. A return value of TRUE indicates that the license 16 is valid. When the return value is FALSE, it indicates that it is invalid.

Int OpenLicense 16 (BSTR action, BST
R key, mutable data) This method is used to prepare access to the decrypted permission bits. The key to be passed is (KD
(PU-BB)). A return value of 0 indicates success. Other return values can be defined.

BSTR GetDecryptedEnablingBits (BSTR action, variable data) Variant GetDecryptedEnablingBitsAsBinary (BSTR action, variable data) The above method is used to access the decryption-style enable bits. If this fails for any reason, a null string or null mutable data is returned.

Void CloseLicense 16 (BSTR action,
Mutable data) This method is used to unlock access to the permission bits to perform the passed action. If this fails for any reason, a null string is returned.

Heuristics As mentioned above, if there are multiple licenses 16 for the same digital content 12, one of the licenses 16 must be selected for future use. Using the above method, the following heuristic can be implemented to make this selection. Specifically, in order to execute an action (that is, APLAY @) which is one piece of digital content 12, the following steps can be executed.

1. Acquire all the licenses 16 applied to one specific digital content 12.

2. Remove each license 16 that does not allow the action by calling the IsEnabled function on that license 16.

3. Each inactive license 16
Is removed by calling IsAactivated with its license 16.

4. Remove each non-prepaid license 16 by calling IsSunk with that license 16.

5. If there are remaining licenses 16,
Use it. In particular, unlimited license 1
If there is an expiration date in 6, license for limited number of plays 1
Before using 6, the unlimited play count license 16 is used. Even if the selection is not cost effective, it is necessary to allow the user to select a particular license 16 that has already been obtained at any time. Thus, the user can select the license 16 based on criteria that are probably invisible to the DRM system 32.

6. If the license 16 does not remain,
A status indicating that is returned. In this case, the user can select from the following:

If it is available, the license 16 that is not prepaid is used.

If available, activate license 16 and / or perform license acquisition from license server 24.

A digital device such as a portable device
Then render Ntsu, referring to FIG. 14, it should be understood that the acquired digital content 12, the mode rendering, the digital content 12 is downloaded or otherwise, The corresponding digital license 16 placed on the personal computer 60 or the like and then obtained is also downloaded or otherwise placed on the personal computer 60 or the like. As a typical example, the personal computer 60 and the like are devices that are relatively large and are not easily moved, and thus require a power line connection for receiving externally supplied power and a communication line connection for communicating with the outside. Further, as described above with reference to FIG. 13, computer 60 includes a cabled keyboard, a cabled mouse, a cabled screen, etc. and is coupled to a scanner, printer, and / or other peripheral device. Sometimes. Therefore, the computer 60 is relatively bound by these connections and peripherals. In other words, they are "bound".

It will be appreciated that the personal computer 60 of FIG. 3, for example, is released from restraint when the peripherals are disconnected and the computer 60 is replaced by a full-featured wrap that incorporates a screen, keyboard, mouse, and battery power. When realized in the form of a top computer, the constraints are further lifted. Nonetheless, a user who wants to render digital content 12, such as a musical selection, for example, while practicing, even if their laptop computer 60 weighs only 4 or 5 pounds, Certainly hesitate to carry the laptop computer 60 during its working period.
In addition, a full-featured laptop computer 60 has 2-4
Despite being lighter, such as ounces, the computer 60 still has sensitive components (eg, hard drives) that are susceptible to damage during its work.
Still equipped.

Fortunately, returning to FIG. 14, a true portable computing device 62 has emerged that has been unconstrained and lightened to store and render at least some digital content 12. It can be used for. For example, S3
DIAMOND RIO portable music player sold by Incorporated (Santa Clara, California)
It is battery powered, fits in your palm or pocket, has no moving parts, and has a large amount of on-board flash memory to store your digital content 12, eg Window
It is possible to render the digital content 12 even in s (registered trademark) Media Audio (WMA) or MP3 format. This DIAMOND RIO player comes with a suitable cable through which the computer 60 can send digital contents 12
Has an interface that allows you to download it from there. Other portable music players include RCA players, Creative Nomad II, and Pocket PC devices from Hewlett-Packard, Casio and Compaq. However, what is important is that configuring portable computing device 62 to support the DRM architecture as described above presents several problems.

One problem occurs with some players, where the memory reserved for player operations, such as decrypting content and rendering content, is relatively small. As can be appreciated, the relatively small amount of memory allows portable device 62 to perform at least some of the DRM functions described above, such as decrypting public-private keys. I can't. The solution to address this issue is
"Binding Digital Content to a Port in a Digital Rights Management (DRM) System
able Storage Device Or the Like in A Digital Right
Management (DRM) System) "August 2000 2
It is described in US patent application Ser. No. 09 / 645,887, filed on May 5. In addition, the whole content is made into a part of this specification by the reference.

Importantly, however, the solution described in said US patent application relies on a key system based on a global secret, so that this key system, once the global secret is exposed and disseminated, There is a risk of global risk. Therefore, in one embodiment of the invention, the portable device 62
Performs public-key / private-key decryption through a portable DRM system 32p (FIG. 14) instantiated in memory located therein. As will be appreciated, the DRM system 32p and associated operations such as decrypting content and rendering content either increase the amount of memory available on the portable device 62 or the DRM system instantiated in memory. The size of the 32p is reduced, or both of them are set so that the 32p fits on the portable device 62.

In one embodiment of the present invention, digital content 12 and its corresponding digital license 16 are provided for portable device 62, as is the case for the subject matter disclosed in the aforementioned US patent application Ser. No. 09 / 645,887. All the acquisition is performed through the computer 60 or the like. Specifically, the computer 60 acquires the license 16 of the corresponding digital content 16,
Then a sublicense 16 for rendering the digital content 12 on the portable device 62.
s is issued to the portable device 62. This sublicense 16s may be issued during the process of downloading from the computer 60 to the portable device 62, at any time before or after downloading from the computer 60 to the portable device 62, or at another time. Are also possible and all can be done without departing from the spirit and scope of the invention. Although the present invention has been described focusing on the computer 60 and the portable device 62 as shown in FIG. 14, it should be understood that the present invention does not depart from the spirit and scope of the present invention. The computer device 14 of a specific type other than the computer 60 can also be implemented in a form suitable for it.

Importantly, since the computer 60 performs all of the license acquisition and content acquisition functions for the portable device 62, the portable device 62 and the DRM system 32p located therein will be able to access the content 12 and sublicenses. Except for the functions required to download 16s, it is not necessary to have these functions. Therefore, the important license acquisition and content acquisition part of the DRM system 32 located on the computer 60 side can be omitted from the DRM system 32p located on the portable device 62 side.

Portable device 62 is defined as a totally closed device because data is only onloaded and offloaded in a restricted manner, providing very user access to the hardware within portable device 62. This is because the input and display functions are limited to a few function keys and perhaps a small LCD screen. Therefore, there is little waste in trying to steal content 12 by examining the memory 12 or the physical content of the portable device 62 to obtain the content 12 or the decryption key placed therein in unencrypted form. In contrast, computer 6
0 is defined as a globally open device, where data is extensively onloaded and offloaded by a wide range of hardware and / or software, with almost unlimited user access to the hardware within portable device 62. This is because the input and display functions are available from a full-featured keyboard, mouse, high resolution monitor, etc. Therefore, a person trying to steal the content can use the computer 6 to obtain the content 12 and the decryption key placed therein in unencrypted form.
The more chances to look for zero memory and physical content, the more. In summary, the portable device 62 as a closed device is less affected by malicious actions performed by content stealers than the computer 60 as an open device.

As a result, it is important to note that the portable device 62 and the DRM system 32p located therein have most types of content theft except for the functionality required to download the content 12 and sublicense 16s. And it is not necessary to have the features needed to protect against decryption key theft. Therefore, the important anti-theft function of the DRM system 32 located on the computer 60 side can be omitted from the DRM system 32p located on the portable device 62 side.

In summary, the DRM system 62 placed on the side of the portable device 62 is (1)
Functions required to authenticate the portable device 62 to the computer 60 and facilitate its download when the sublicense 16s is downloaded to the portable device, and (2) the sublicense 16s downloaded and placed there. It is sufficient to have the necessary features to render the content 12 on the portable device 62 according to the sub-license 16s, and make sure that it meets the requirements of the sub-license 16s. (K
D) is included. Computer 60
Other functions provided in the DRM system 32 on the side of the portable device 62 are either unnecessary in the DRM system 32p on the side of the portable device 62 or are inherent in the portable device 62 which is a closed device.

As will be appreciated, and as disclosed in the aforementioned US patent application Ser. No. 09 / 645,887, a sublicense 16 issued by a computer 60.
Displays the corresponding content 12 on the portable device 62.
There may be restrictions that must be followed when rendering above. Of course, the computer 60 can issue its sublicense 16s only if permitted under the terms of the corresponding license 16 obtained by the computer 60 from the relevant license server 24. Further, as disclosed in the above-mentioned US Patent Application No. 09 / 645,887, the computer 60 issues at least a part of the license 16 when issuing the sublicense 16s.
2 is easier to handle, and rewrites so that the sublicense 16s is bound to the portable device 62, that is, bound. Specifically, the computer 6
0 is the content key for decrypting the content 12
Re-encrypt (KD) into a form that makes it easier for the portable device 62 to decipher. Here, the content key is re-encrypted according to the black box public key (PU-BB-PD) of the DRM system 32p of the portable device 62.

More specifically, it is assumed that the content key (KD) in the license 16 on the computer 60 is encrypted according to the asymmetric key such as the black box public key (PU-BB-CO) as described above. Then, the computer 60 obtains the content key (KD) by applying the computer's black box secret key (PR-BB-CO), and then, according to (PU-BB-PD), the content is obtained according to (PU-BB-PD). Re-encrypt the key (KD). Therefore, it should be understood that the content key (KD) can be obtained by the portable device 62 at the appropriate time by applying the black box secret key (PR-BB-PD) of the portable device 62. So sublicense 1
6S is attached to the portable device 62,
Will be bound. As you will understand,
If you do not re-encrypt the content key (KD), the portable device 62 will not know (PR-BB-CO), so you cannot decrypt (PU-BB-CO (KD)) to get (KD). Become.

Content 1 for portable device 62
2 and Sub-license 16s Next, referring to FIGS. 15 and 17, in one embodiment of the present invention, the content 12 and its corresponding sub-license 16s will be transmitted to the portable device 62 according to the steps described below. Downloaded to. Preliminarily, the portable device 62, as shown in FIG.
It must be connected to the corresponding computer 60 through the corresponding connection 64 (step 1401).
The connection 64 may be any connection without departing from the spirit and scope of the present invention.
Note that, as a typical example, the portable device 62 is equipped with one or more interfaces 66, and which type of connection 64 can be used depends on the interface. For example, the interface 66 includes a serial port, a parallel port, a USB port,
There is a “firewall” port, an infrared port, etc., in which case the computer 60 supports the interface 68 and its connection 64 via the corresponding hardware and / or software supporting it.
In order to support .NET, the corresponding type of connection 64 must be adopted. The connection 64, interfaces 66, 68, and the hardware and / or software supporting them are well known and should be understood by those skilled in the art and need not be described in further detail here. Is omitted.

Before or after the computer 60 and the computing device 62 are combined, the portable device 62 must obtain the content 12 (step 1403). It should be noted that the content 12 can be placed on the portable device 62 directly from an external source through a corresponding transferable storage medium such as a magnetic medium, an optical medium, or an electronic medium. For example, the storage medium may include a micro-sized magnetic disk or "memory stick," in which the content 12 is already contained by the portable device 62 or another device. As a typical example, particularly when the storage medium of the portable device cannot be transferred, the content 12 is first placed in the computer 60 and then transferred from the computer 60 to the portable device 62 through the connection 64. It is placed on the portable device 62. It should be noted that the placement on the computer 60 is performed in a very short time, especially when the computer 60 directly acquires the content 12 for the portable device 62. Obtaining the content 12 and leaving the content 12 on the portable device 62, whether through the computer 60 or otherwise, is well known and understood by those skilled in the art. Since it should be, detailed description will be omitted here.

Also, the computer 60 and the portable device 62 are connected or after the computer 6 is connected.
0 must acquire the corresponding license 16 of the content 12 from the corresponding source, as described above (step 1405). It should be noted that the license 16 does not necessarily allow rendering of the corresponding content 12 on the computer 60. However, this license 16 corresponds to the corresponding sublicense 1
It should not be allowed, or at least not prohibited, to publish its content 12 on the portable device 62, as well as to publish 6s for the portable device 62. That is, the licensor has decided not to allow its content 12 to be rendered on the portable device 62 for some reason, and therefore to issue the corresponding sublicense 16s for the portable device 62. ,
It may be prohibited by the terms of the corresponding license 16. Similarly, the licensor is restricted to some portable devices 62 and the corresponding sublicense 16s
May be permitted to be issued. The licensor may, for example, define sub-license issuance rules for the license 16 in order to define rules for the obtained license.

Therefore, the computer 60 checks the obtained license 16 to determine whether the license 16 does indeed allow and prohibit the issuance of the sublicense 16, and possibly the sublicense 16s is transferred to the portable device. It is judged whether or not the issue for 62 is certainly permitted and prohibited (step 1407). Of course, this check requires portable device 62 to convey identifying information to computer 60, although any form is possible without departing from the spirit and scope of the invention. Is. As a result of the check, if it is determined that the sublicense 16s can be certainly issued, the sublicense 16s is issued.

As shown in FIG. 17, a computer 60
Builds a sublicense 16s based on the acquired license 16 and issues it to the portable device 62, where the DRM system 32 on the portable device 62 is installed.
p renders the corresponding content 12 only according to the terms of the sublicense 16s (step 140).
9). When constructing and issuing the sublicense 16s, as described above, the computer 60 uses the content key (KD) for decrypting the content 12 (PU-BB-CO
Re-encrypt from (KD)) to (PU-BB-PD (KD)).

Specifically, it is important to remember that DRM
According to the architecture, one digital content 1
2 is encrypted according to a symmetric content key (KD), content 12 is rendered on a computing device 14 having a black box 30, which in turn has an associated asymmetric public / private key (PU-BB, PU-BB,
PR-BB), and the corresponding license 16 of the content 12 contains the content key (KD) encrypted according to (PU-BB), so the license 16 is
It is tied to, ie, bound to, the black box of computing device 14 and the computing device 14 itself. When issuing the sublicense 16S of the corresponding content 12 to the portable device 62, the computer 60 uses the content key (KD) placed there (PU
-Bind the sublicense 16 to the portable device 62 by re-encrypting according to (BB-PD) or
I have to bind.

Therefore, the computer 60 performs the re-encryption in the following procedure. 1. Obtain (PU-BB-PD) from the portable device 62 (step 1409a). 2. Content key encrypted according to (PU-BB-CO) (K
D) (that is, (PU-BB-CO (KD))) is acquired from the license 16 (step 1409b). 3. Apply (PR-BB-CO) to (PU-BB-CO (KD)) (KD)
Is acquired (step 1409b). 4. Encrypt (KD) according to (PU-BB-PD) (step 1409b). Then, this (PU-BB-PD (KD)) is put into the sublicense 16 by the computer 60 (step 1409e).

As will be appreciated, in some cases KD
Is indirectly encrypted according to PU-BB through an intermediate key. That is, PU-BB encrypts the intermediate key, and the intermediate key is K
D is encrypted. KD remains in the original license 16. Therefore, more generally, as will be understood, the computer 60 acquires the content key (KD) from the license 16, opens the content key (KD), and then seals the KD in the sublicense 16a again. Re-encrypted by.

Returning to FIG. 14, in one embodiment of the present invention, the portable device 62 has a (PU
-BB-PD) is included in the certificate 63. Therefore, in this case as well, it is understood that the computer 60 has the portable device 62 (PU-BB-PD).
(PU-BB-PD) is obtained from the portable device 62 (step 1409aa) by requesting the computer 60 to send a certificate 63 with a certificate (step 1409aa). 1409
a). Certificate 63 can be signed according to (PR-BB-PD) to ensure that certificate 63 has not been tampered with. The certificate 63 received by the computer 60 is compared against the revocation list 65 to ensure that the certificate 63 is intact (step 1409ab). The invalid list 65 can be stored in the license 16 (FIG. 17), the computer 60 (FIG. 14), or in another place.

In one embodiment of the invention, the certificate 62 from the portable device 62 includes the portable device 6
The information 67 regarding 2 is also stored. This information may be any information without departing from the spirit and scope of the invention. In one embodiment, this information 67
Relates to information that can be used to determine whether license 16 authorizes issuance of sublicense 16s (step 1407). For example, information 67
May include the name, type and manufacturer of the portable device 62, the version of the black box located in the DRM system 32p of the portable device 62, and the like. As you will understand, this information 6
When 7 is given to the computer 60 in the form of a certificate 63, the computer 16 makes a wide range of decisions to determine whether the sublicense 16s should be issued to the portable device 62 based on the properties of the portable device 62 itself. It becomes possible to specify requirements.

The certificate 63 must have been received prior to step 1407 when this information 67 is actually used to determine whether the license 16 permits the issuance of the sublicense 16s. (Step 1409aa). Accordingly, when the information 67 is actually used to determine whether the license 16 permits the issuance of the sublicense 16s,
In step 1407, the information 67 is acquired from the certificate 63 (step 1407a), and the information is applied to the determination of whether the license 16 permits the issuance of the sublicense 16s (step 1407b).
Are included (FIG. 15). As you will understand,
The decision based on the information 67 can be any decision if desired. For example, this determination may specifically be acceptable to the manufacturer and / or type of portable device, and / or the black box 30 located in the DRM system 32p of the portable device 62. Considerations can be included.

Next, when the sublicense 16s is constructed and issued, the computer 60 changes (PU-BB-CO (KD)) to (PU-BB-PD (KD)) as shown in FIG. By rewriting the license 16 so as to replace it, the sublicense 16s is generated from the license 16. When generating the sublicense 16s, the computer 60
Also incorporates the rights description into the sublicense 16s (step 1409f in FIG. 15). This right statement is basically the right statement described in the license 16 (for example, DRL 48 in FIG. 9). In general, the right description is not required to be changed, but the computer 60
This right statement can be modified if necessary or desired. Alternatively, the licensor may define the rights description of the sublicense 16s in the license 16, in which case the sublicense 16s
Rights description is significantly different from and / or separate from the license 16 rights description.

When almost generated, sublicense 16s
Is completed by adding a signature for verifying the content of the sublicense 16s (step 1409).
g). As will be appreciated, this signature is based at least in part on the information of sublicense 16s.
Therefore, changing this information will result in signature verification failure. This signature is also based on (PU-BB-PD).

As will be understood from the above description, the steps of FIG. 15 described above are written for the DRM system 32 on the computer 60 side and are executed by a function or a set of functions accessible by the DRM system 32. . Accordingly, this function or functions act when the user attempts to download content 12 and / or sublicense 16s from computer 60 to portable device 62.

Contents 12 as sublicense 16s
Therefore, rendering on the portable device 62. Next, referring to FIG. 18, when the content 12 and the sublicense 16s are downloaded to the portable device 62, the portable device 62 is permitted by the rights description of the sublicense 16s. If so, the content 12 can be rendered by the following procedure.

1. The contents of the sublicense and its signature (P
Verification based on R-BB-PD) (step 1601). 2. Apply (PR-BB-PD) to (PU-BB-PD (KD)) to get the content key (KD) (step 1603). 3. Apply (KD) to decrypt the encrypted content 12 (step 1605).

Check out and check sublicense 16
Check-in As described above, the computer 60 stores an almost unlimited number of sublicenses 16s in a plurality of portable devices 62.
Can be issued to. In addition, license 16
The number of sublicenses 16s issued to the computer 60 is stored in the state store 40 (FIG. 4) on the computer 60 as state information. It is possible to record the number of licenses and limit the number according to the terms of the sublicense 16. In addition, this configuration can be a check-in / check-out configuration where the number stored is that the sublicense 16s "checks out" to the portable device 62. Sublicense 1
6s "check out" from portable device 62
The maximum value of the number is set according to the terms of the corresponding license 16.

As will be appreciated, checking in sublicense 16s includes removing sublicense 16s from portable device 62, and in any manner without departing from the spirit and scope of the present invention. Is also possible. For example, this check-in may include transferring sublicense 16s from portable device 62 to computer 60, deleting sublicense 16s from portable device 62, and so on. This check-in is known to those skilled in the art and should be understood, so the mechanics thereof will not be described in further detail here.

It should be noted that this check-in / check-out configuration copies the checked-out sublicense 16s from the portable device 62 to a storage device (not shown) (if possible),
Checking in the sublicense from the portable device 62 to the computer 60 and recopying the copied sublicense 16s back from the storage device (not shown) back to the portable device 62 would be destroyed. Is. When this happens, even if the sublicense 16s is checked in, it remains on the portable device 62.

The above-mentioned destruction is caused by the portable device 62.
This can be prevented by arranging the information about each sublicense 16s checked out to be stored as state information in the state store 40 of the portable device 62. Portable device 62
The DRM system 32p on the side records each sub-license 16s legally therein, and uses the sub-license 16s which is not recorded in the state store 40 of the sub-license 16s but is considered to be already checked in to the computer 60. You can refuse that. However, with such a configuration, the DRM system 32p on the portable device 62 side becomes excessively complicated, and if a check-in or check-out transaction is interrupted, a synchronization problem may occur. is there.

In one embodiment of the present invention, this problem is caused by any challenge value or nonce '(one-time key, hereinafter "nonce") during checkout and checkin periods.
Is prevented by the use of a nonce with another element to indicate that the element is legal. Any nonce can be created and used in any manner without departing from the spirit and scope of the invention. Specifically, referring back to FIG. 19, in this embodiment, the computer 60 side (DRM system 32)
From the portable device 62 side (DRM system 32
The check-in of the sublicense 16s to p) has been accomplished by the following procedure.

1. The computer 60 requests the nonce from the portable device 16s and receives the nonce (step 1701).

2. The checked out sublicense and the received nonce are transmitted from the computer 60 by the portable device 62 (step 1703).

3. In step 1701, computer 60
Concludes by the portable device 62 that the nonce sent from is the same as the nonce received by the computer 60 in step 1701 (step 1705).

4. Therefore, it is concluded by the portable device 62 that the sublicense 16s sent accompanying the sent nonce is legal and not from the copied source or elsewhere (step 17).
07).

Of course, if these nonces do not match, that is, if the transmission sublicense 16s is not attached to any nonce, the portable device 62 determines that the transmission sublicense 16s is not legal. In conclusion, it is possible to refuse to store the transmission sublicense in the license store 38 of the DRM system 32p on the portable device 62 side. Therefore, the nonce acts as a verification or trust-imparting device for the transmission sublicense 16s.

The nonce must be bound to the sublicense 16s. Otherwise, an attacker intercepting the message could mix the nonce and the license to match. One binding method is the signature part of the sublicense.
Incorporate a nonce.

As part of checking out a sublicense, the checked out sublicense 16s is added to a catalog 70 accessible to the DRM system 32, as required when checking in the checked out sublicense 16s. (Step 170
9). This catalog 70 is, for example, the state store 4
It can be stored at 0. Preferably, FIG.
As shown in FIG. 7, the catalog 70 includes the checked-out sublicense 16 for each sublicense 16s.
An identifier (ID) that identifies s and its sublicense 16
portable device 62 to which s is checked out
Contains an entry that contains an identifier that identifies the.

In this case, the check-in requires the checked-out sublicense 16s to be transferred to the portable device 62.
It is achieved by giving the computer 60 a credit notification that the checked out sublicense 16s has indeed been deleted. Specifically, the DRM system 32 of the portable device 62 side (
The check-in of the sublicense 16s from (p) to the computer 60 side (the DRM system 32 of the computer 60) is achieved by the following procedure.

5. At the request of the user or other request, the portable device 62 deletes the checked out sublicense 16s therefrom (step 17).
11).

6. Portable device 62 by nonce
Is requested to the computer 60 and the nonce is received (step 1713).

7. Received nonce, portable device 6
2 that identifies the 2 and all sublicenses 16s currently placed on the portable device 62
List is sent by portable device 62 to computer 60, where the deleted checked-out sublicense 16s has been removed from the send list (step 1715).

8. The nonce transmitted by the portable device 62 in step 1715 is the same as in step 1713.
The computer 60 concludes that it is the same as the nonce received by the portable device 62 at step 1717.

9. Therefore, the computer 60 concludes that the sent identifiers and lists accompanying the sent nonces are legal and not from another source (step 1719).

10. The computer 60 compares the transmission list with the catalog 70, and records that the deleted checked-out sublicense 16s is in the catalog 70 but not in the transmission list (step 1721).

11. The entry having the identifier that identifies the deleted checked-out sublicense 16s and the identifier that identifies the portable device 62 is deleted from the catalog 70 (step 1723).

Therefore, the catalog 70 in the state store 40 functions as a library of all the checked-out sublicenses 16s of all the portable devices 62 for checking out the sublicense 16s from the computer 60, and the checked-out sublicense 16s. The presence of an entry that identifies <RTIgt; identifies </ RTI> acts as a "count" intended to count the number of sublicenses 16s checked out from a particular license 16.
Therefore, this count includes searching the catalog 70 to obtain the number of checked out sublicenses 16s.

As in the case of checking out a license, if the nonces do not match in the process of checking in the license, that is, if the transmission list and the identifier are not attached to any nonce, the computer 60
Concludes that the transmission list and identifier are not legal, so
Refuse to check in the sublicense 16s based on the transmission list and the identifier. Therefore, in this case also, the nonce acts as a transmission list and identifier verification or trust delivery device.

In the mechanism shown in FIG. 19, the check-in transfers the sublicense 16s to the portable device 62.
From the computer back to the computer 60. Rather, the sublicense 16s is deleted from the portable device 62, and the deletion is notified to the computer 60 through a transmission list in a trusted manner.
As you can see from this, in this mechanism,
The DRM system 32p on the side of the portable device 62 need not store any particular state information regarding which sublicense 16s was checked out there. Further, when the catalog 70 is used, the computer 60 does not need to store the count information of each sublicense 16s checked out based on each license 16.

Conclusion The programming required to implement the processes performed and instantiated modules in connection with the present invention is relatively straightforward and should be understood by one of ordinary skill in the programming arts. is there. Therefore, its programming is not attached hereto. It should be noted that the present invention can be implemented by any programming without departing from the spirit and scope of the present invention.

As can be seen from the foregoing description, the present invention includes a novel and useful enforcement architecture that allows digital content 12 of any form to be rendered or played under control. There, the control is flexible and the digital content 12
It can be defined by the content owners of. The present invention also includes a novel and useful controlled rendering environment in which digital content 12 is
Is rendered on a computing device 14 that is not under the control of the content owner, such as portable device 62, the digital content 12 will only be as specified by the content owner. It is not rendered. Furthermore, the present invention provides a computing device 1.
Trusted to enforce the rights of the content owner on the computing device 14 with respect to the digital content 12 even if the user of four attempts to access the piece of digital content 12 in a manner not permitted by the content owner. Contains components.

As can be understood from the above description, the above-described embodiments can be modified in various ways without departing from the novel concept of the present invention. Specifically, the present invention is
A portable device 62 that is directly connected to a PC or computer 60 is described, where the computer 60 owns the license 16 and the license 1
6 underlies the sublicense 16s sent to the portable device 62, the invention is defined in a broader sense.

[0217] For example, the portable device 62 need not be portable in nature, and may actually be constrained or heavy such that it cannot move around. Thus, the device 62 could be another computer or PC without departing from the spirit and scope of the invention. Furthermore, "Portable device" 6
The computer 60 that is the pipe to 2 does not necessarily have to be a PC, it can be another portable device or a type of computing such as a set top box, video console, game play station, telephone, appliance, personal digital assistant, etc. It can even be a device. Broadly speaking, the present invention allows any device to prepare a sublicense 16s for any other device and deliver it to another device using the mechanism described above.

Furthermore, the device 62 is the computer 6
It does not have to be directly connected to 0, it is actually a wired or wireless LAN or WAN
It is also possible to connect indirectly via a network such as the Internet (for example, the Internet). Thus, computer 60 can be any computer on the network or one of the computers on the network. In a broader sense, if a device 62 can receive a sublicense 16s from any computer on the network, that device can obtain that sublicense 16s directly from the license server 24. In this case,
As will be appreciated, the sublicense 16s will not be rewritten and will be generated directly by the license server 24.

Furthermore, the portable device 6 has been used so far.
It was explained mainly on 2, but sublicense 16s
Can also be written directly for portable media, which is attached to the device 62 and can be transferred to other devices 62 or other devices in the broadest sense. Not surprisingly, some changes are needed. the important thing is,
The identifier (ID) of the portable device becomes the identifier (ID) of the portable medium, and the sublicense 16s is written independently of the device 62.

Further, as will be appreciated, the sublicense 16s may or may not be written, depending on the case. Instead, the sub-license 16s becomes implicit (eg, all content is treated the same as a license), some license types are defined on the portable device 62, and each content 12 is licensed. Specify the type.

Therefore, as will be appreciated, the invention is not limited to the specific embodiments disclosed herein, but rather within the spirit and scope of the invention as defined in the claims. It includes changes.

[Brief description of drawings]

FIG. 1 is a block diagram illustrating a mandatory architecture according to one embodiment of the invention.

2 is a block diagram illustrating an authoring tool of the architecture of FIG. 1 according to one embodiment of the invention.

FIG. 3 is a block diagram illustrating a digital content package with digital content used in connection with the architecture of FIG. 1 according to one embodiment of the invention.

4 is a block diagram illustrating a computing device of the user of FIG. 1 according to one embodiment of the invention.

5 is a flow diagram illustrating steps performed in connection with the digitization rights management (DRM) system of the computing device of FIG. 4 to render content according to one embodiment of the invention.

6 is a flow diagram illustrating steps performed in connection with the digitization rights management (DRM) system of the computing device of FIG. 4 to render content according to one embodiment of the invention.

7 is a flow diagram showing steps performed in connection with the DRM system of FIG. 4 to determine if a valid and authorizing license exists in accordance with one embodiment of the present invention. .

8 is a flow diagram showing steps performed in connection with the DRM system of FIG. 4 to obtain a license according to one embodiment of the invention.

9 is a block diagram illustrating a digital license used in connection with the architecture of FIG. 1 according to one embodiment of the invention.

FIG. 10 is a flow diagram illustrating steps performed in connection with the DRM system of FIG. 4 to obtain a new black box according to one embodiment of the invention.

FIG. 11 shows a license and 1 according to an embodiment of the present invention.
5 is a flow diagram showing key transaction steps performed in connection with the DRM system of FIG. 4 to check if one piece of digital content is valid and render the content.

FIG. 12 is a block diagram illustrating the license evaluator of FIG. 4 with a digitization rights license (DRL) of a license and a language engine that interprets the DRL according to one embodiment of the invention.

FIG. 13 is a block diagram illustrating a general-purpose computer incorporating aspects of the present invention and / or portions thereof.

FIG. 14 is a block diagram illustrating a configuration in which a portable device is coupled to a computer for the purpose of downloading content and its corresponding sublicense according to one embodiment of the invention.

15 is a flow diagram illustrating steps performed in delivering digital content and sublicenses from a computer to the portable device of FIG. 14 according to one embodiment of the invention.

16 is a flow diagram showing steps performed in delivering digital content and sublicenses from a computer to the portable device of FIG. 14 in accordance with one embodiment of the present invention.

FIG. 17 is a block diagram showing a license and a sublicense obtained from the license by the method shown in FIG. 15 according to an embodiment of the present invention.

FIG. 18 is a flow diagram showing steps performed by the portable device of FIG. 14 in rendering sublicense-based content in accordance with one embodiment of the present invention.

19 is a flow diagram showing steps performed by the computer and portable device of FIG. 14 to check out and check in sublicenses according to one embodiment of the invention.

[Description of Codes] 10 Mandatory Architecture 12 Digital Content 12p Digital Content Package 14 User's Computing Device 16 License 16s Sublicense 18 Authoring Tool 20 Content Key Database 22 Content Server 24 License Server 26 Black Box Server 30 Black Box 32 Computer 60 Side DRM system 32p DRM on the user's computing device side
System 34 Rendering Application 36 License Evaluator 38 License Store 40 State Store 48 Digital Rights License (DRL) 60 Computer 62 Portable Computing Device

Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) H04L 9/32 H04L 9/00 601F 675B (72) Inventor Marcus Peanade United States 98008 Bellevue, WA 168 Avenue Northeast 7F term ( Reference) 5B017 AA03 BA06 CA16 5B085 AE00 AE29 BA06 BG02 BG03 BG04 BG07 5J104 AA12 AA16 EA17 EA19 PA07 (54) [Title of Invention] Digital licenses are bound to portable devices in a digital rights management (DRM) system, and portable devices. How to check out / check in digital license to / from etc.

Claims (35)

[Claims] 1. Public key (PU1) and corresponding private key
A method of rendering encrypted digital content on a first device having (PR1), wherein the digital content is encrypted according to a content key (KD), the method comprising: It is a license, the content key (KD) is stored in the encrypted form, a digital license is acquired, the encrypted content key (KD) is decrypted from the digital license, and the content key (KD) is acquired. The public key (PU1) is obtained from the first device, and the content key (K1) is obtained according to the public key (PU1) of the first device.
D) obtained by encrypting (PU1 (KD)), corresponding to the obtained license, and configuring a sublicense based on the obtained license, the sublicense including (PU1 (KD)), The sub-license is transferred to the first device, and the first device can decrypt the (PU1 (KD)) using the private key (PR1) to obtain the content key (KD), and obtain it. A method characterized in that the encrypted content can be rendered on the first device using the content key (KD). 2. The method according to claim 1, wherein a sublicense is configured, the acquired license is checked before the configured sublicense is transferred to the device, and the license issuance of the sublicense to the device. The method further comprising determining whether to allow the. 3. The method of claim 1, further comprising transferring the content to a first device. 4. The method of claim 1, wherein the encrypted digital content is rendered on a first device on which a digitization rights management (DRM) system is located. In the case of possessing the key (PU1) and the corresponding private key (PR1), the method obtains the public key (PU1) of the DRM system from the first device, and the public key (PU1) of the DRM system of the first device ( (PU1 (KD)) that is obtained by encrypting the content key (KD) according to (PU1) and configures a sublicense corresponding to the obtained license and based on the obtained license. KD)) and transfer the sublicense to the first device, and the DRM system of the first device decrypts (PU1 (KD)) using the private key (PR1) to decrypt the content key (KD). And you can get Wherein the can render the encrypted content on a first device using the obtained content key (KD). 5. The method according to claim 1, wherein a digital license is acquired, the acquired digital license is stored on a second device, and the encrypted content key (KD) is decrypted from the digital license on the second device. To obtain the content key (KD), the public key (PU1) from the first device, and the content key (K1) according to the public key (PU1) of the first device.
D) obtained by encrypting (PU1 (KD)), corresponding to the obtained license, and configuring a sublicense based on the obtained license, the sublicense including (PU1 (KD)), The sublicense is transferred from the second device to the first device, and the first device can decrypt the (PU1 (KD)) using the private key (PR1) to obtain the content key (KD). Along with, the method is characterized in that the obtained content key (KD) can be used to render encrypted content on the first device. 6. The method according to claim 5, wherein the second device has a public key (PU2) and a corresponding private key (PR2).
If the method has a digital license corresponding to the content, the digital license is the public key (PU2) of the second device.
The encrypted content key (KD) according to (PU2 (K
D)) is included, and the content key (KD) is obtained by decrypting (PU2 (KD)) from the digital license according to the secret key (PR2) of the second device. how to. 7. The method of claim 5, wherein the second device is a computer. 8. The method of claim 1, wherein the first device is a portable device. 9. The method of claim 1, wherein obtaining the public key (PU1) of the first device comprises receiving a certificate containing (PU1) therein from the first device. A method characterized by the following. 10. The method of claim 9, comparing the received certificate against a revocation list to verify that the certificate has not been revoked.
The method further comprising: 11. The method of claim 9 including receiving from the first device a certificate that contains (PU1) and information about the first device. 12. The method of claim 11, wherein the sublicense is configured, the acquired license is checked before the configured sublicense is transferred to the device, and the license issuance of the sublicense to the device. Further comprising: determining whether the license permits the issuance of a sublicense using the information about the first device. A method characterized by. 13. The method according to claim 11, wherein (P
U1) and at least one of the name, type and manufacturer of the first device, receiving a certificate contained therein from the first device. 14. The method according to claim 1, wherein (PU1 (KD)) is obtained from the transferred sublicense, and (PR1) is acquired.
To (PU1 (KD)) to get the content key (KD),
The method further comprising applying (KD) to decrypt the encrypted content, all of which is performed by the first device. 15. A method of rendering encrypted digital content on a first device having a public key (PU1) and a corresponding private key (PR1), the digital content being encrypted according to a content key (KD). , The method provides a public key (PU1) to a second device, where the second device is a digital license corresponding to the content, where the content key (KD) is Obtain the digital license stored in the encrypted format, decrypt the encrypted content key (KD) from the digital license to obtain the content key (KD), and use the content key (KD) as the public key of the first device. Encrypted according to (PU1) (P
U1 (KD)), corresponding to the acquired license, and a sublicense based on the acquired license,
Configure a sublicense containing (PU1 (KD)), receive the configured sublicense from the second device, get (PU1 (KD)) from the received sublicense, and change (PR1) to (PU1 Applying the (KD)) to obtain a content key (KD), applying the (KD) to decrypt the encrypted content, and rendering the decrypted content. 16. The method of claim 15, further comprising receiving content from a second device. 17. The method of claim 15, wherein the DRM system renders the encrypted digital content on a first device on which a digital rights management (DRM) system is located. PU1) and its corresponding private key (PR1), and the digital content is encrypted according to the content key (KD), the method provides the public key (PU1) of the DRM system to the second device. Then, the configured sublicense is received from the second device, (PU1 (KD)) is acquired from the received sublicense, and the private key (PR1) of the DRM system is applied to (PU1 (KD)) to obtain the content. Obtaining the key (KD), applying the (KD) to decrypt the encrypted content, and rendering the decrypted content. 18. The method of claim 15, wherein the second device is a computer. 19. The method of claim 15, wherein the first device is a portable device. 20. The method according to claim 15, wherein providing the public key (PU1) to the second device
Providing the second device with a certificate containing (PU1). 21. The method of claim 20, wherein providing the public key (PU1) to the second device comprises (PU1).
And providing the second device with a certificate containing information about the first device, the second device uses the information about the first device to cause the acquired license to issue a sublicense. A method characterized by being able to determine whether or not it is permitted. 22. The method according to claim 21, wherein (P
U1) and providing to the second device a certificate containing information about at least one of the name, type and manufacturer of the first device. 23. A method of checking out a sublicense from a second device to a first device, the method receiving a request from a second device for a nonce (one-time key, hereinafter nonce '). , Provided its nonce, checked out sublicense and provided nonce
Store from the second device, conclude that the received nonce is the same as the provided nonce and therefore conclude that the received sublicense is legal and store the sent sublicense. A method comprising: 24. The method of claim 23, wherein the method is used in combination with a method of checking in a checked-out sublicense, deleting the checked-out sublicense, and then checking out. Providing a credit notification to the second device that the expired sublicense has indeed been deleted. 25. The method of claim 24, wherein the second device is an identifier (ID) identifying the checked out sublicense and an identifier identifying the first device.
Adding a checked-out sublicense to the catalog by adding an item with (ID) to the catalog and checking in the checked-out sublicense requires a nonce to the second device and receives that nonce. , The received nonce, an identifier identifying the first device,
And send a list of all sublicenses currently placed on the first device to the second device, where
The deleted checked-out sublicense is not on the send list and the second device has received the nonce sent by the first device n
It concludes that it is the same as once, and therefore concludes that the identifiers and lists sent along with its sending nonce are legal, compare the sending list to the catalog, and checkout sublicenses deleted are cataloged. But not in the distribution list, and deleting from the catalog an entry having an identifier identifying the deleted checked-out sublicense and an identifier identifying the first device. how to. 26. A method of checking out a sublicense from a second device to a first device, the method requesting a nonce (one-time key, hereafter referred to as nonce ') from the first device, and the nonce. Received a checked out sublicense and received a nonc
including sending e to the first device, the first device concluding that the nonce sent by the second device is the same as the nonce received by the second device, and is therefore attached to the sending nonce. Storing the transmitted sublicense, concluding that the transmitted sublicense is legal. 27. The method of claim 26, further comprising adding the checked-out sublicense to a catalog. 28. The method according to claim 27, wherein adding a checked-out sublicense to a catalog is performed by an identifier (ID) identifying a checked-out sublicense and an identifier (ID) identifying a first device. Adding to a catalog. 29. The method of claim 27, wherein the method is used in combination with a method of checking in a checked-out sublicense and first providing a credit notification that the checked-out sublicense has been deleted.
A method comprising receiving from a device. 30. The method of claim 29, wherein checking in a checked-out sublicense receives a nonce from a first device and provides its nonce, the nonce provided, the first device being identified. An identifier to send and a list of all sublicenses currently placed on the first device are received from the first device, where the deleted checked-out sublicense is not on the send list and the received nonce is provided. , And therefore the received identifier and list are legitimate, comparing the received list with the catalog and removing the checked out sublicenses in the catalog. , Which is not on the distribution list and has an identifier that identifies the deleted checked-out sublicense To remove an item from a catalog having an identifier that identifies the first device, a method which comprises the. 31. A method of checking out a sublicense from a second device to a first device, the method comprising: nonce (one time key, hereinafter nonc) by the second device.
a nonc received as a checked-out sublicense.
sending e to the first device by the second device, concluding by the first device that the nonce sent from the second device is the same as the nonce received by the second device, and thus is attached to the sending nonce. Concluding that the transmitted sublicense is legal by the first device and storing the transmitted sublicense by the first device. 32. The method of claim 31, further comprising adding a checked out sublicense to a catalog by a second device. 33. The method of claim 32, wherein adding a checked out sublicense to a catalog includes cataloging an item that includes an identifier identifying a checked out sublicense and an identifier identifying a first device. A method comprising adding. 34. The method of claim 32, wherein the method is used in combination with a method of checking in a checked-out sublicense, deleting the checked-out sublicense from the first device, and thereafter. , Providing a credit notification to the second device that the checked-out sublicense has indeed been deleted. 35. The method of claim 34, wherein checking in a checked-out sublicense removes the checked-out sublicense from a first device by a first device and a nonce by a first device. Request 2 devices,
Receiving the nonce, the received nonce, an identifier identifying the first device,
And a list of all sublicenses placed on the first device is sent by the first device to the second device, where the deleted checked-out sublicense is not in the list sent and by the first device It is concluded by the second device that the transmitted nonce is the same as the nonce received by the first device, and therefore that the identifiers and lists transmitted accompanying the transmitted nonce are legal. And compare the sending list with the catalog and the second device,
A second entry is created that records that the deleted checked-out sublicense is in the catalog but not on the distribution list, and has an identifier that identifies the deleted checked-out sublicense and an identifier that identifies the first device. Deleting by a device from a catalog.